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Berkeley  gets  unified 

Microsoft  extends  its  directory  to  boost 

Early  adopters  of  x86  systems  cite  cost  savings  and 

California  university  embraces  integrated 

its  identity  management  plan. 

easier  management. 
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Gaming  Google 

Pet  suppliers  barking  over  online  practices. 

BY  NANCY  GOHRING, 

IDG  NEWS  SERVICE 

hen  Google 
recently  re¬ 
moved  BMWde 
from  its  database  for 
using  unfair  Web  design 
techniques,  a  collective 
cheer  rose  from  the 
ranks  of  other  designers 
around  the  globe.  In¬ 
stead  of  indicating  an 
impending  crackdown 
on  tricks  aimed  at 
manipulating  search  engine  results,  however,  the  incident  served 
to  spotlight  disagreements  over  what  constitutes  abuse. 

It  also  led  experts  to  reach  a  conclusion  that  some  Web¬ 
masters  might  find  unsettling,  namely  that  Google  isn’t  and 
maybe  cannot  be  the  police  of  the  Web. 

See  Google,  page  55 


COLIN  JOHNSON 


Serial  Attached  SCSI  switch 
holds  promise  for  SMBs 


attached  disk  drives. 

LSI  Logic  this  week  is  expected 
to  demonstrate  a  1U  (1  3/4-inch- 
high)  36-port  SAS  switch  at  Stor¬ 
age  Networking  World  in  San 
Diego.The  switch  lets  users  join  as 
many  as  10  host  computers  to  a 
See  SAS,  page  12 


BY  DENI  CONNOR 

A  new  switching  technology, 
Serial  Attached  SCSI,  is  catching 
the  attention  of  server  vendors 
and  industry  experts  for  its  abil¬ 
ity  to  network  more  storage  de¬ 
vices  than  SCSI  and  preserve 
user  investments  in  direct- 
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Virtualization  gaining 
ground  in  open  source 


BY  JENNIFER  MEARS  AND  PHIL  HOCHMUTH 

Open  source  efforts  to  make  it  easier  for  compa¬ 
nies  to  virtualize  data  center  resources,  whether 
they  are  Linux-  or  Windows-based,  will  be  on  full 
display  this  week  at  the  LinuxWorld  Conference 
and  Expo  in  Boston. 

Virtualization  specialists  XenSource  and  Virtual 
Iron,  both  rooted  in  Linux  and  open  source,  plan 
to  use  the  show  to  announce  support  for  Micro¬ 
soft  systems. 

VMware,  which  created  the  market  for  virtualizing 
x86-based  servers,  plans  to  throw  open  the  propri¬ 
etary  file  format  behind  its  virtual  machines,  making 
available  to  third-party  developers  and  management 
software  vendors  the  technology  it  uses  to  create 
software  containers  that  include  an  operating  sys¬ 
tem,  applications  and  related  data. 


The  idea  is  to  create  a  standard,  open  platform  for 
virtualizing  x86-based  servers  so  customers  have 
more  choices  when  it  comes  to  deploying,  managing 
and  monitoring  virtual  resources.  The  move  should 
help  spur  adoption  of  the  nascent  technology,  indus¬ 
try  observers  say. 

“With  proprietary  technology  people  box  them¬ 
selves  in,"  says  Eric  Bogatie,  president  and  CTO  of 
managed  service  provider  NI  Solutions  in  Ontario. 
“The  adoption  of  Linux  has  been  huge  because  of 
the  open  development  community  and  the  sharing 
of  ideas  and  technologies.  That’s  what  1  love  about 
Virtual  Iron’s  technology:  they’re  working  with  other 
companies  who  say,  ‘Yes,  we  will  support  you  guys 
and  develop  technology  that  will  allow  us  to  talk  to 
your  technology” 

See  LinuxWorld,  page  14 


The  NAG  labyrinth 


Mapping  Cisco,  Juniper,  Microsoft  andTCG  access  control  schemes. 

. 
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BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 


Network  access  control  represents  the  most  significant  change  in  the  way  that 


C'-  -c'.-  •  ■ 


networks  are  secured  since  the  invention  of  the  firewall.  But  it’s  also  con¬ 
tentious,  confusing  and  —  when  done  right  —  complicated. 

With  the  stam- 


In-depth,  testing-based 
coverage  of  key 
technology  issues 


pede  of  vendors  ; 
laying  claim  to  NAC 
territory,  IT  man- 
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agers  are  now  presented  with  an  overwhelming  number  of 
architectures  and  tools  designed  to  help  create  a  strong 
link  between  users,  end  systems  and  access  to  network 
resources.  In  an  effort  to  provide  some  insight  into  how 
each  may  or  may  not  fit  into  your  network,  herein  is  a  breakdown  of 
their  similarities  and  differences. 

NAC  is  a  broad  new  buzzword,  and  security  and  network  vendors  all  have  ideas  about  how 
best  to  give  their  products  and  services  a  place  in  the  NAC  universe.  The  major  NAC  schemes 
we  examined  were  Cisco’s  Network  Admission  Control,  Juniper’s  Infranet,  Microsoft’s  Network  , 
Access  Protection  and  the  Trusted  Computing  Group's  (TCG)  Trusted  Network  Connect. 

See  Network  access  control,  page  39  .  ] 


A  Global  Hotel  Company  Analyzing  1.4  Million  Records  a  Day. 

Running  On  Microsoft  SQL  Server  2005. 
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How  does  Hilton  forecast  demand  for  its  370,000  rooms  and  its  catering  services?  They 
import  data  from  six  systems  into  one  data  warehouse  requiring  7  million  rows,  and 
running  on  SQL  Server™ 2005  with  99.98%  uptime*  See  how  at  microsoft.com/bigdata 
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YOUR  NETWORK  APPLICATIONS 
ARE  ALWAYS  ON. 

NEVER  STUCK  IN  TRAFFIC. 

NEVER  SICK  FROM  BAD  SEAFOOD. 
AND  NEVER  HAVE  "A  MOMENT." 


OVERACHIEVE. 


F5  gives  you  access  to  your  network  applications 


anytime,  anywhere.  Plus,  they'll  run  65%  faster 


on  average  while  remaining  safe  and  secure. 

The  F5  mission  is  to  make  your  applications 
do  what  they  were  designed  to  do:  perform. 

More  than  10,000  organizations  around 
the  world  overachieve  with  F5.  Can  yours? 


THE  WORLD  RUNS  BETTER  WITH  F5 

WWW.F5.COM 
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Navigating  the 
NAC  labyrinth 
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Network  access  control  is  a  hot  new  buzz¬ 
word  upon  which  many  security  vendors 
are  trying  to  hang  their  hats.  The  problem 
for  enterprises  looking  to  implement  a  NAG 
scheme  near-  or  long-term  is  that  there 
are  many  disparate  NAC  architectures  mak¬ 
ing  the  rounds  in  the  network  industry. 
Network  World  Lab  Alliance  member  Joel 
Snyder  dissects  the  NAC  plans  of  the 
Trusted  Computing  Group,  Cisco,  Microsoft 
and  Juniper,  pointing  out  the  similarities 
and  the  differences,  and  the  pros  and  cons 
of  each.  Page  1. 

Online:  Snyder  makes  an  educated  guess  as 
to  why  there  are  competing  NAC  plans  and 
takes  a  stab  at  which  ones  might  win  out. 
www.nwdocfinder.com/2825 
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How  not  to  write  a  support  doc 

On  IT  Borderlands,  Ken  Fasimpaur 
casts  a  wary  eye  on  some  instruc¬ 
tions  from  Dell  on  replacing  dis¬ 
lodged  laptop  keys. 

DocFinder:  5242 

ITVideo:  Good  idea  but . . . 

Editor  Keith  Shaw  looks  at  a  cou¬ 
ple  of  products  —  Project-a- 
Phone  and  Soldiusl  —  that  came 
to  the  Cool  Tools  Lab  with  a  lot  of 
promise  but  didn't  live  up  to 
expectations. 

DocFinder:  2842 


Apple  and  the  French 

Columnist  Mark  Gibbs  urged  Apple 
CEO  Steve  Jobs  to  pay  close 
attention  to  French  efforts  to 
open  up  iTunes  —  and  readers 
react. 

DocFinder:  2843 

All-Star  call  for  entries 

Get  recognition  for  your  cool  net¬ 
work  project.  Enter  our  2006 
Enterprise  All-Star  Award  compe¬ 
tition.  Go  online  for  more  informa¬ 
tion  and  a  nomination  form. 
DocFinder:  2436 


Online  help  and  advice 

Discovering  Visa's  security 
requirements 

Help  desk  guru  Ron  Nutter  helps  a 
user  figure  out  what  he  needs  to 
meet  them. 

DocFinder:  2844 

Best  management  questions 

At  a  recent  Network  World  Tech 
Tour,  we  collected  network  man¬ 
agement  questions  from  the  audi¬ 
ence  about  topics  ranging  from 
technologies  to  managing  change. 
Management  guru  Jim  Metzler 
answers  them  online. 

DocFinder:  2845 


Consolidated  devices:  When  it's 
time  to  use  them 

Analyst  Robin  Gareiss  shows  you 
how  to  compare  these  multipurpose 
network  devices  with  a  "best-of- 
breed"  approach  in  the  branch 
office. 

DocFinder:  2846 

Extending  collaboration  tools  to 
remote  workers 

Senior  analyst  Mike  Karp  helps  you 
figure  out  if  you  —  and  your  net¬ 
work  —  are  ready  for  this. 

DocFinder:  2847 
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Free  seminar 

Application  &  Content  Security:  Building  the  Defensible  Network:  The 
Technology  Tour  event  that  meets  the  sophisticated  needs  of  today's  net¬ 
work-driven  enterprises  as  well  as  the  demands  of  today’s  ever-anxious 
corporate  management.  Discover  strategies  and  technologies  that  create 
layered  protection,  defense  in  depth,  perpetual  scanning  of  traffic  and  more 
at  this  free  event  for  qualified  professionals.  Be  there!  Full  details  at 
DocFinder:  2849 
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Free  e-mail  newsletters 

Sign  up  for  any  of  more  than  40  newsletters  on  key  network  topics. 

DocFinder.  1002 

What  is  DocFinder? 

We’ve  made  it  easy  to  access  articles  and  resources 
online.  Simply  enter  the  four-digit  DocFinder  number  in 
the  search  box  on  the  home  page,  and  you’ll  jump  directly 
to  the  requested  information. 
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Data-protection  bill  advances 

M  A  House  of  Representatives  committee  has  unanimously  approved  a  bill  that 
would  create  new  regulations  for  data  brokers,  including  a  requirement  that  U.S. 
companies  that  traffic  in  personal  data  notify  victims  of  breaches.The  House  Energy 
and  Commerce  Committees  41-0  approval  of  the  Data  Accountability  and  Trust 
Act  comes  a  year  after  the  beginning  of  a  rash  of  data  breaches  at 
dozens  of  U.S.  companies,  starting  with  data  brokers  ChoicePoint 
and  LexisNexis.The  bill,  which  now  goes  to  the  full  House  for  a 
vote,  requires  any  company  that  “experiences  reasonable  risk  of 
identity  theft”  to  notify  potential  victims  as  well  as  the  Federal 
Trade  Commission.  Companies  that  encrypt  data  are  exempt  from 
notification  rules  under  the  bill,  as  some  tech  trade  groups  have 
requested.  Backers  of  an  encryption  exemption  say  it  would  encourage 


more  companies  to  use  encryption. 

Google  to  issue  5.3  million  shares 

■  Even  after  amassing  $8  billion  in  cash  by  the  end 
of  2005,  Google  is  looking  for  more,  announcing  last 
week  that  it  plans  to  issue  an  additional  5.3  million 
shares  of  stock.The  shares  would  bring  in  about  $2.1 
billion. The  sale  is  intended  in  part  to  meet  the  needs 
of  index  funds  to  purchase  Google  stock  once 
Google  is  added  to  the  S&P  500  Index,  Google  says. 
The  company  was  to  be  added  to  the  S&P  500  Index 
at  the  close  of  trading  last  Friday.  Google  will  use  the 
money  for  working  capital,  expenses  and  possible 
acquisitions  of  complementary  businesses,  technolo¬ 
gies  or  other  assets.it  says. Since  going  public  in  2004, 
Google  has  grown  flush  with  cash. The  initial  public 
offering  raised  $1.7  billion.lt  was  followed  by  an  offer¬ 
ing  last  September  of  more  than  14  million  shares 
that  raised  an  additional  $4  billion. 

Banks  hit  by  novel  hacker  attack 

■  Three  Florida  banks  have  had  their  Web  sites 
compromised  by  hackers  in  an  attack  that  security 
experts  are  calling  the  first  of  its  type.  Earlier  this 
month,  attackers  were  able  to  hack  servers  run  by 
the  ISP  that  hosted  the  three  banks’ Web  sites.  They 
redirected  traffic  from  the  legitimate  Web  sites  to  a 
bogus  server  designed  to  resemble  the  banking 


COMPENDIUM 

Best  use  of  SQL  ever 

Samuel  Aina  has  written  a  SQL  Server 
application  to  solve  Sudoku  puzzles.  Read 
his  documentation  at  www.nwdoc 
finder.com/2850. 


TheGoodTheBadTheUgly 

Outsourcing?  What  outsourcing?  A  survey 

released  last  week  by  a  CIO  trade  association  says  that  the  media  is  all 
wet  about  outsourcing  and  offshoring.  The  Society  for  Information 
Management  found  in  its  survey  of  100  mostly  large  companies  that 
80%  of  the  organizations  plan  to  hire  to  fill  in-house  entry  and  mid¬ 
level  IT  jobs  this  year.  See  the  survey  at  www.nwdocfinder.com/2840. 

<  Losing  sleep  in  Indiana.  Not  only  will  net¬ 
work  pros  in  Indiana  lose  an  hour  of  sleep  when  the  state 
begins  observing  daylight-saving  time  this  weekend,  but 
they  could  lose  some  shut-eye  over  a  related  IT  issue  as 
well.  Some  are  speculating  that  calendars  and  other  pro¬ 
grams  dependent  on  time  could  go  haywire.  “This  is  like 
Y2K  except  this  one  is  really  happening,"  a  Purdue 
University  IT  spokesman  told  Wired  News. 
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“Eric  wrote  SendMail,  I  let  the 
public  on  the  Internet  .... 
There  you  go,  that's  why  we 
have  spam.” 

Barry  Shein,  CEO  of  ISP  The  World,  about  SendMail  author  Eric 
Allman  at  the  MIT  Spam  Conference  last  week. 

See  a  story  on  the  conference  at  www.nwdocfjnder.com/2851 

sites,  according  to  Bob  Breeden,  special  agent 
supervisor  with  the  Florida  Department  of  Law 
Enforcement’s  Computer  Crime  Center.  Users  were 
then  asked  to  enter  credit  card  numbers,  PINs  and 
other  types  of  sensitive  information.  According  to 
Breeden,  the  affected  banks  are  Premier  Bank, 
Wakulla  Bank  and  Capital  City  Bank,  all  small 
regional  banks.  The  attack  was  similar  to  phishing 
attacks  that  are  commonly  used  against  online  com¬ 
merce  sites,  but  in  this  case  hackers  made  changes 
to  legitimate  Web  sites,  making  the  scam  much  hard¬ 
er  for  regular  users  to  detect. 

Microsoft  touts  FrontBridge 

■  Seven  months  after  purchasing  e-mail  hygiene 
service  provider  FrontBridge,  Microsoft  last  week 
repackaged  the  capabilities  of  the  service  under  the 
name  Exchange  Hosted  Services.  Microsoft  plans  to 
add  the  services  to  its  growing  list  of  capabilities 
offered  under  the  software-as-a-service  model.  The 
services  will  work  with  corporate  deployments  of 
Exchange,  as  well  as  Exchange  run  in  a  hosted 


Florida  outsourcing  fiasco.  Florida 

state  employees  are  being  warned  that  their  personal  infor¬ 
mation  may  have  been  compromised  after  work  on  the  state’s 
People  First  payroll  and  human  resources  system  was  improperly 
subcontracted  to  a  company  in  India.  State  employees  were  notified 
about  the  breach  by  e-mail  after  a  subcontractor  of  outsourcing 
service  provider  Convergys  improperly  allowed  other  subcontractors 
in  India  to  index  state  personnel  files,  a  Florida  spokeswoman  said. 

model.  It  is  intended  to  be  a  complement  to  on¬ 
premises  e-mail  hygiene  software  such  as  Windows 
Defender  and  Antigen  for  Exchange.  Exchange 
Hosted  Services  has  four  offerings:  Filtering, 
Encryption,  Continuity  and  Archive.  Microsoft  plans 
to  make  the  services  available  to  volume  licensing 
customers  this  week  and  update  the  service  with 
new  features  and  functionality  every  three  months. 
Filtering  will  be  priced  at  $1.75  per  user,  per  month; 
Archiving  at  $17.25  per  user,  per  month  with  an 
unlimited  retention  period  and  3.6GB  of  storage; 
Continuity  at  $2.50  per  user,  per  month;  and 
Encryption  at  $1.90  per  user,  per  month. 

Glaria  turns  over  a  new  leaf 

■  Online  marketing  firm  Claria,  which  recently  said 
it  will  exit  the  adware  pop-up  business  that  made  its 
Gator  and  Gain  network  infamous,  last  week 
unveiled  PersonalWeb,  a  new  business  strategy 
based  on  desktop  software  for  consumers. The  free 
software,  available  in  beta,  can  learn  what  topics  a 
user  is  most  interested  in  based  on  Web  surfing 
habits.  Claria  would  apply  its  RelevancyRank  tech¬ 
nology  to  monitor  and  analyze  a  user’s  most-visited 
Web  pages  on  an  anonymous  basis  without  identi¬ 
fying  the  user  by  name,  according  to  Scott  Eagle, 
Claria  executive  vice  president.The  company’s  busi¬ 
ness  model  calls  for  publishers  and  other  content 
providers  to  pay  to  present  content  as  advertised 
links  on  PfersonalWeb  to  targeted  users.  Claria  also 
announced  that  SoftBank  America,  Rogers  Com¬ 
munications  and  Asia-Pacific  Ventures  have  sup¬ 
plied  $40  million  in  funding  for  PersonalWeb.  In 
addition,  Yahoo  Japan  and  SoftBank  said  they  will 
provide  FtersonalWeb-based  services  in  Japan. 


In  network  security  there  are  two  kinds  of  companies. 

(Those  that  have  enough  and  those  that  find  out  they  don't.) 
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ProCurve  Secure  Router  7203dl 

•  Up  to  1000  VPN  sessions 

•  Provides  an  affordable  and  scalable 
platform  for  medium  to  large  networks 

•  Connects  remote  offices  and  headquarters 

•  Offers  a  variety  of  WAN  interface  modules 

•  Supports  wire-speed  routing  performance  with 
integrated  security 


$2302" 

CDW  761386 


Fluke  EtherScope™  Network  Assistant 
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Microsoft  to  extend  Active  Directory 


Platform  work 

Here  is  Microsoft's  plan  for  filling  out  its  identity  and  access  management  platform. 


Technologies 

Where 

Description 

Windows  Workflow 
Foundation 

Microsoft  Identity  and  Integration  Server 
(MIIS);  Longhorn  Server  in  2007 

Designed  as  a  common  engine  across  Windows  to  extend 
provisioning  and  routing  throughout  the  network. 

Delegated  administration 

Active  Directory.  Longhorn  Server 

Administrative  rights  become  less  of  an  all-or-nothing 
proposition. 

Web  access  management 

Active  Directory  Federation  Services. 
Windows  Server  2003  Release  2 

A  start  to  addressing  the  issue  of  authentication  and 
authorization  for  Web-based  applications. 

User  self  service 

MIIS/Gemini.  Longhorn  Server 

Users  given  the  ability  to  manage  some  level  of  data. 

Password  management 

MIIS/Gemini.  Longhorn  Server 

Today  this  capability  is  available  from  partners. 

Virtual  directory 

No  stated  plans 

Enable  Active  Directory  to  work  with  third-party  virtual 
directories. 

BY  JOHN  FONTANA 

LAS  VEGAS  —  Microsoft  is  rac¬ 
ing  to  fill  gaps  and  integrate  tech¬ 
nology  into  its  identity  manage¬ 
ment  platform  before  customers 
shift  to  tools  from  other  vendors. 

Active  Directory  is  being  driven 
beyond  its  authentication  and 
authorization  roots,  the  company 
told  attendees  last  week  at  the 
NetPro  Directory  Experts  Con¬ 
ference,  an  independent  forum 
focused  on  Active  Directory  and 
Microsoft  Identity  Integration 
Server  (MIIS). 

The  plan,  originally  outlined  in 
February  is  to  make  Active  Direct¬ 
ory  and  a  handful  of  add-ons  for 
such  tasks  as  rights  management, 
a  hub  that  supports  many  tech¬ 
nologies  targeted  at  identity  and 
access  management,  including 
sophisticated  provisioning  tools 
now  lacking  from  the  Microsoft 
lineup. 

While  that  is  a  noble  goal,  some 
analysts  urge  caution.  “Active 
Directory  is  more  stable  and 
scaleable  than  many  predicted  it 
would  be,” says  John  Enck,an  ana¬ 
lyst  with  Gartner.  “But  you  can’t 
use  [Active  Directory]  for  every¬ 
thing.” 

Enck  says  Microsoft  needs  to 
add  or  improve  workflow,  pass¬ 
word  management,  user  self-ser¬ 
vice  and  delegated  administra¬ 
tion  capabilities  to  Active  Direct¬ 
ory  and  MIIS,  the  core  of  its  identi¬ 
ty  platform.  Both  are  foundation 
elements  for  Microsoft’s  strategy 

Ultimately  Microsoft  would  like 
this  core  to  support  strong  ere 
dentials,  access  control,  single 
sign-on,  federated  identity  infor¬ 
mation  rights  protection,  process 
automation  and  auditing.  The 
strategy  also  calls  for  integration 
with  Microsoft’s  Identity  Meta¬ 
system  initiative,  user-centric  pri¬ 
vacy  controls  called  InfoCard,  a 
Longhorn  middleware  technolo¬ 
gy  called  Windows  Communica¬ 
tion  Foundation  and  a  slate  of 
Web  services-based  protocols. 

Users  at  the  conference  said 
they  agree  with  the  message  and 

&  Whiln  identity  management 
controls  who  gets  access  to 
whai.  resources,  Microsoft, 

Cisco  and  others  are  looking 
at  controlling  access  to  the 
network.  See  story,  page  1. 


want  to  build  out  their  Active 
Directory  deployments  to  deal 
with  the  realities  of  privacy  and 
access  controls  dictated  by  regu¬ 
latory  compliance  issues. 

Microsoft’s  moves  have  been 
fueled  by  a  recent  wave  of  con¬ 
solidation  among  identity  ven¬ 
dors  that  has  seen  IBM,  Oracle, 
Sun,  Novell  and  others  moving  to 
create  identity  management  plat¬ 
forms. 

While  some  users  are  waiting  for 
Active  Directory  to  catch  up  with 
their  needs,  others  say  they  have 
moved  ahead  with  third-party 
tools  for  such  things  as  workflow, 
single  sign-on  and  Web-based 
access  controls. 

“It  is  a  shame  Microsoft  is  late  in 
the  game,”  says  Larry  Brandolph, 
infrastructure  engineering  manag¬ 
er  for  Cigna  in  Philadelphia, 
which  has  been  driven  by  federal 
regulations  to  adopt  privacy  and 
other  controls  supported  by  its 
Active  Directory  rollout.  He  says 
Cigna  has  rolled  out  third-party 
products  to  support  identity 
needs  such  as  role-based  access 
control  and  Web  single  sign-on. 
“We’d  have  to  rip  that  out  to  go 
with  Microsoft,  but  first  we’d  have 
to  do  all  the  testing  to  see  if  it  is 
reliable  and  scaleable.” 

While  he  says  that  is  not  hap¬ 
pening,  the  company  is  rolling  out 
Windows  Server  2003  to  add  new 
user  certificate-based  auto-enroll- 
ment  and  other  features  support¬ 
ed  by  the  operating  system. 

Brandolph  says,  however,  that 
identity  technologies  Microsoft  is 
developing,  such  as  federation 
and  user  self-service,  could  indi¬ 
rectly  help  Cigna  when  integrating 
with  partners.“We  can  tell  partners 
if  they  have  the  Microsoft  federa¬ 
tion  services  they  can  send  us 
standardized  authorization  tokens 
we  can  use  with  our  systems.” 

For  others,  Microsoft  can’t  move 
fast  enough.  An  IT  architect  with  a 
Fortune  500  company  who 
requested  anonymity  says  he  is 
waiting  for  the  Windows  Workflow 
Foundation  (WWF)  and  hopes  it 
is  up  to  the  task  of  replacing  his 
aging  workflow  engine.  Microsoft 
plans  to  ship  WWF  as  part  of  a  fea¬ 
ture  in  Longhorn  Server  code- 
named  Gemini. 

He  says  he  will  be  evaluating 
Gemini  over  the  next  nine 
months.  “For  a  utility  service  like 
workflow.it  has  to  be  in  the  [oper¬ 


ating  system]  because  you  know 
it  will  be  available.”  He  says  a  com¬ 
mon  workflow  engine  distributed 
across  his  global  network  will 
make  reliability  management  and 
support  easier. 

Today  MIIS  relies  on  workflow 
services  from  BizTalk,  but  integra¬ 
tion  among  applications  and  busi¬ 
ness  processes  can  be  complex. 

“Now  that  [Active  Directory]  is 
moving  beyond  domain  services 
we  need  to  take  our  planning  up  a 
notch,”  says  Peter  Houston,  senior 


director  of  identity  and  access 
management  for  Microsoft. 
Houston  says  the  goal  is  to  have 
“out-of-the-box”  capabilities  for 
such  functions  as  compliance  or 
auditing.  “It  is  about  more  sce¬ 
nario-based  capabilities  rather 
than  [Active  Directory]  and  MIIS 
as  a  collection  of  technologies. We 
would  rather  understand  the  busi¬ 
ness  scenarios  and  enable  those 
out  of  the  box.” 

Observers  say  Microsoft  has 
other  decisions  to  make,  such  as  if 


it  will  add  Virtual  Directory  capa¬ 
bilities  to  its  platform;  some  of  its 
competitors  are  embracing  the 
technology 

“For  identity  Microsoft  needs  to 
look  at  virtualization,”  says  Nick 
Nikols,  an  analyst  with  the  Burton 
Group.  He  says  the  company 
needs  to  examine  cross-platform 
integration,  which  today  is  provid¬ 
ed  by  partners  Centrify  and  Quest. 

“Is  [Microsoft’s]  target  to  be  a 
full-fledged  identity  player?  I’m 
not  sure  yet.”B 


McAfee  bundles  security  wares 


BY  ELLEN  MESSMER 

McAfee  next  month  plans  to  start  shipping  all-in- 
one  desktop  security  agent  software  that  is  expected 
to  cost  businesses  half  as  much  as  buying  the  com¬ 
pany’s  anti-virus,  anti-spyware  and  intrusion- 
prevention  products  individually 

Analysts  say  McAfee  is  trying  to  gain  clout  in  the 
emerging  anti-spyware  market  in  advance  of  its  chief 
competitors,  Symantec  and  Trend  Micro,  and  before 
Microsoft  gets  a  foothold  in  anti-virus  and  anti-spy¬ 
ware  later  this  year  with  its  Vista  operating  system. 

“The  ambiguity  between  anti-virus  and  anti-spy¬ 
ware  is  forcing  everyone  to  rethink  what’s  going  on,” 
says  Pete  Lindstrom,  research  director  at  Spire  Secur¬ 
ity  He  says  consolidating  functionality  into  a  single 
agent  should  ease  management  for  customers. 

“It  definitely  sounds  like  a  good  idea,  says  Dan 
Lukas,  lead  security  architect  at  Aurora  Health  Care 
in  Milwaukee,  about  McAfee’s  plans.  Picking  the  best 
of  breed  from  separate  vendors  and  trying  to  man¬ 
age  it  all  can  be  a  problem,  he  says. 

McAfee’s  single-agent  software  (now  called  Secur¬ 
ity  Agent,  though  sources  say  that  could  change)  is 
built  on  top  of  a  new  version  of  McAfee’s  ePolicy 
Orchestrator  (ePO)  management  client.  The  agent 
includes  anti-spam  and  desktop  firewall. 

Pricing  is  targeted  at  $77  per  user  for  1 ,000  nodes  in 


a  package  that  includes  the  ePO  management  con¬ 
sole  and  anti-spam  and  anti-virus  gateways.  McAfee 
will  make  other  packages  for  small  to  midsize  busi¬ 
nesses  and  enterprises  available,  with  the  most  basic 
starting  at  $30  per  user  for  50  nodes. 

Eric  Winsborrow,  vice  president  of  product  market¬ 
ing  at  McAfee, says  the  company  will  continue  to  sell 
stand-alone  versions  of  its  desktop  anti-virus, anti-spy¬ 
ware,  intrusion-prevention  and  other  security  prod¬ 
ucts,  if  customers  insist. 

But  McAfee  is  confident  its  gamble  on  a  consoli¬ 
dated  desktop  agent  at  a  reduced  price  will  be  pre¬ 
ferred  by  most  businesses.“Chief  security  officers  just 
don’t  want  more  agents  to  deployf  he  says. 

Acquisition  hunger 

Separately,  McAfee  CEO  George  Samenuk  last  week 
said  the  vendor  is  on  the  prowl  to  buy  security  com¬ 
panies  with  technology  that  can  be  quickly  integrat¬ 
ed  with  McAfee’s  products.  Areas  of  interest  include 
wireless  security  and  safer  Internet  surfing  for  users. 
The  acquisitions  will  be  wholly  in  cash,  and  the  deal 
sizes  could  range  from  $20  million  to  $500  million, 
said  Samenuk,  who  added  that  the  company  has 
more  than  $1.2  billion  in  cash  and  is  debt-free. 

IDG  News  Service  contributed  to  this  report. 


Oracle  Database  lOg 

#1  On  Windows 


Starts  at  $149  per  user 


Oracle  Database  lOg— 

Easy  to  Use.  Easy  to  Manage.  Easy  to  Buy. 


oracle.com/start 
keyword:  #1onWindows 
or  call  1.800.633.0675 


Terms,  restrictions  and  limitations  apply.  Standard  Edition  One  is  available  with  Named  User  Plus  licensing  at  $149  per  user 
with  a  minimum  of  five  users  or  $4995  per  processor.  Licensing  of  Oracle  Standard  Edition  One  is  permitted  only  on  servers 
that  have  a  maximum  capacity  of  2  CPUs  per  server.  For  more  information,  visit  oracle.com/standardedition 


Copyright  0  2005.  Oracle.  All  rights  reserved.  Oracle,  JD  Edwards  and  PeopleSoft  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


10  •  www.networkworld.com  •  4.3.06 


Phishing  steals  spotlight  at 
MIT  Spam  Conference 


BY  CARA  GARRETSON 

While  the  volume  of  unwanted  e-mail  ebbs  and 
flows,  the  nature  of  unwanted  e-mail  is  steadily  be¬ 
coming  more  dangerous,  say  spam  experts. 

Advances  in  anti-spam  technology  and  increased 
use  of  these  products  are  delivering  somewhat 
cleaner  in-boxes  and  less-annoyed  e-mail  users, 
experts  say.  But  no  technology  has  been  developed 
that  can  effectively  protect  e-mail  users  from 
phishing  attacks  that  steal  personal  and  financial 
information,  and  until  this  form 
of  fraud  can  be  detected  and 
blocked,  unwanted  e-mail  re¬ 
mains  a  threat. 

“The  spam  problem  will  get 
worse,  and  the  reason  is  phishing,” 
said  Bill  Yerazunis,  senior  research 
scientist  with  Mitsubishi  Electric 
Research  Laboratories,  and  chair¬ 
man  of  the  MIT  Spam  Conference, 
which  held  its  fourth  meeting  in 
Cambridge,  Mass.,  last  week. 

Yerazunis  estimates  20%  to  30%  of 
all  spam  messages  are  phishing 
attacks.“For  people  who  aren’t  ’Net 
savvy  they  could  lose  their  retire¬ 
ment  monej/he  said. 

The  response  rate  for  phishing  e- 
mails  is  higher  than  for  spam, said 
Paul  Judge,  CTO  of  messaging 
security  maker  CipherTrust.  So 
while  spammers  have  to  send 
more  unsolicited  e-mail,  as  anti-spam  filters  get  bet¬ 
ter  at  identifying  and  blocking  spam,  phishing 
attacks  are  well  enough  disguised  that  a  higher  per¬ 
centage  of  recipients  click  on  them,  he  said. 

Not  only  is  phishing  dangerous  for  potential  vic¬ 
tims,  it  is  destroying  banks’  and  other  companies’ 
ability  to  communicate  with  their  customers  in  the 
most  effective  way,  Judge  continued.  “Some  of  the 
most  powerful  entities  on  earth  can’t  talk  to  their  cus¬ 
tomers  over  e-mail”  because  phishing  has  corroded 
their  customers’  trust,  he  said. 

As  one  of  the  dozen  companies,  universities  and 
laboratories  presenting  papers  at  the  MIT  Spam 
Conference  last  week,  CipherTrust  focused  its  talk  on 
the  rising  threat  of  phishing. The  company  last  week 
also  announced  PhishRegistry.org,  a  service 
designed  to  warn  legitimate  Web  sites  when  they  are 
being  spoofed  by  phishers. 

Anti-spam  products  that  filter  con¬ 
tent  aren’t  able  to  catch  phish  be¬ 
cause  the  actual  theft  doesn’t  hap¬ 
pen  in  e-mail,  but  at  the  forged  Web 
site  that  a  phishing  message  sends 
recipients  to,  said  Jonathan  Zdziar- 
ski.  research  scientist  at  CipherTrust. 

The  company  has  developed  tech¬ 
nology  that  creates  a  digital  finger¬ 
print  of  a  Web  site  suspected  to  be 
bogus,  and  of  the  site  it  is  spoofing, 
and  compares  the  two. 

Once  a  bogus  site  is  identified, 


CipherTrust  feeds  that  information  into  its  Radar  anti¬ 
phishing  service  and  posts  a  notice  at  PhishRegistry 
org,  which  Zdziarski  defines  as  a  “neighborhood 
watch  for  your  Web  site.” 

Another  company  MarkMonitor,  attempts  to  iden¬ 
tify  potential  phishing  sites  by  these  sites’  domain 
names.  The  company  which  is  a  domain  registrar, 
provides  a  service  that  looks  for  newly  registered  or 
altered  sites  with  domain  names  that  are  close  to 
legitimate  domain  names,  such  as  bankofamerical. 

com,  says  Chuck  Drake,  senior 
vice  president  of  fraud  solutions. 

Advance  notice  of  a  potential 
phishing  scam  lets  MarkMonitor’s 
customers  work  to  shut  down  the 
fraudulent  site  through  claims 
such  as  brand  infringement, 
Drake  said.  If  a  phishing  attack 
does  happen,  MarkMonitor’s  ser¬ 
vice  also  shuts  down  the  fake  site 
by  contacting  the  site’s  ISP  and 
presenting  evidence  of  fraud. 

This  week  MarkMonitor  plans  to 
announce  a  service  called  Phish¬ 
ing  Readiness  and  Response, 
designed  to  bring  these  services 
to  small  and  midsize  financial  in¬ 
stitutions  that  may  not  have  staff 
dedicated  to  fraud  detection  and 
prevention.The  company  says  be¬ 
tween  July  2005  and  January  2006 
phishing  attacks  that  target  institu¬ 
tions  with  less  than  $500  million  in  assets  jumped 
from  1%  to  6%  of  all  phishing  attacks. 

Sender  authentication  is  another  technology 
thought  to  be  effective  in  preventing  phishing, 
although  it  hasn’t  been  widely  adopted. 

Fresh  from  an  IETF  meeting  last  month, Sendmail’s 
Chief  Science  Officer  Eric  Allman  spoke  at  the  MIT 
conference  about  the  progress  being  made  with 
Domain  Keys  Identified  Mail  (DKIM),  a  sender- 
authentication  proposal  from  Yahoo  and  Cisco  that’s 
wending  its  way  through  the  standards  body  and 
how  it  can  be  used  to  fight  phishing. 

While  DKIM  isn’t  a  cure-all  for  spam  and  phishing, 
it  presents  an  effective  way  for  signers  to  assert  that 
they  really  did  process  messages,  and  to  hold  them 
responsible.  But  DKIM  and  other  authentication 
approaches  won’t  work  in  a  vacuum,  he  said.  “We 
need  to  use  authentication  as  input  to  a  larger  sys¬ 
tem;  it’s  one  part  of  a  big  tool¬ 
box,”  Allman  said.“If  something 
is  authenticated  that  doesn't 
necessarily  mean  that  it’s 
good.” 

Another  way  to  fight  phishing 
is  through  public  awareness.  In 
preparation  for  tax  season,  the 
IRS  last  week  announced  an 
e-mail  address  —  phishing@ 
irs.gov  —  where  residents  can 
forward  bogus  messages  claim¬ 
ing  to  be  from  the  1RS.M 


M If  something  is 
authenticated, 
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that  it's  good.W 

Eric  Allman,  chief  science  officer, 
SendMail 
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Not  enough  being  done 

While  CAN  SPAM  is  catching  criminals,  it's 
not  enough  to  justify  the  headaches 
experienced  by  legitimate  e-mailers,  says 
one  attorney. 
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Check  Point  rounds 
out  security  plan 

BY  TIM  GREENE 

Check  Point  says  it  has  carried  out  its  vision  of  uniting  security  man¬ 
agement  across  the  four  areas  of  the  corporate  networks  that  must  be 
protected:  perimeter,  Web,  internal  and  endpoint. 

Now  all  devices  made  by  Check  Point  that  protect  these  areas  come 
under  control  of  the  company’s  Smart  Center  management  platform, 
giving  customers  a  comprehensive  view  of  network  security 

Since  articulating  this  strategy  two  years  ago,  the  company  has  added 
the  management  of  Check  Point  products  piece  by  piece  to  its  Smart 
Center  platform.  The  company  plans  to  announce  this  week  the  final 
product,  its  Integrity  endpoint  protection  software,  has  been  brought 
under  Smart  Center  with  a  new  software  release  called  NGX  R61. 

Smart  Defense  Services  Console,  the  unified  management  software, 
enables  administrators  to  log  on  once  and  update  and  manage  all 
Check  Point  gear  on  the  network.  These  products  can  include  its 
perimeter-defense  VPN-l/Firewall-1,  Web-defense  Connectra  SSL  VPN 
software,  internal  security  gateway  Interspect  and  the  endpoint  security 
software  Integrity  A  fifth  product,  Eventia,  gathers  data  from  the  others 
to  create  reports  on  security  incidents. 

“Being  able  to  open  just  one  management  console  and  see  every¬ 
thing  and  get  reports  about  everything  on  Eventia  rather  than  log  into 
several  different  management  consoles  —  some  of  them  are  weak  on 
reporting  —  is  a  huge  improvement,”  says  Mike  Taylor,  systems  director 
for  ChoiceData  of  Knoxville,  Tenn.,  which  sells  Equifax  credit  report 
data.The  firm  uses  Check  Point  firewall  and  VPN  gear  as  well  as  Eventia 
to  protect  its  networks  in  Knoxville  and  Chattanooga,  he  says. 

Adding  support  for  Integrity  to  the  management  platform  may 
prompt  ChoiceData  to  adopt  it  as  well.  Integrity  includes  anti-virus  soft¬ 
ware, so  ChoiceData  may  drop  its  current  anti-virus  vendor, Trend  Micro, 
when  its  contract  expires.Td  even  pay  a  little  more  for  Integrity  to  get 
all  the  reports,” he  says.“It’s  more  helpful  if  I  get  a  report  with  charts  and 
graphs  so  1  can  see  where  my  problems  are.” 

The  Smart  Defense  console  is  part  of  a  service  that  sends  customers 
security  updates  that  can  be  pushed  out  to  these  products  to  battle  new 
threats.  It  also  sends  best  practices  advice  to  network  security  execu- 
tives.These  updates  can  be  installed  to  the  Check  Paint  platforms  with¬ 
out  taking  them  offline,  for  example,  to  install  major  new  versions  of 
operating  systems. 

Integrity  is  key  to  Check  Point’s  Total  Access  Protection  (TAP)  archi¬ 
tecture  for  controlling  which  machines  and  users  can  gain  access  to 
networks.  TAP  represents  multiple  pieces  of  gear  that  enforce  security 
policies  on  devices  that  are  admitted  based  on  Integrity  scans  and 
authentication  checks. 

TAP  is  Check  Point’s  answer  to  the  growing  interest  in  network  access 
control  as  exemplified  by  Cisco’s  architecture  called  Network 
Admission  Control  (NAC)  and  Microsoft’s  Network  Access  Protection. 
While  TAP  can  be  overlaid  on  existing  networks,  Check  Point  also  is 
working  to  integrate  it  with  other  vendors’  gear. The  company  is  part  of 
Cisco’s  NAC  Program,  currently  developing  interoperability  between 
Check  Point’s  Integrity  client  and  Cisco  switches. 

Other  switch  vendors  also  are  coming  to  Check  Point  to  ensure  their 
gear  interoperates  with  Integrity  to  enforce  access  controls.  Enterasys 
Networks,  Foundry  Networks  and  Nortel  are  all  part  of  the  TAP  program. 
Members  of  the  TAP  wireless  program  are  Aruba,  Bluesocket,  Cisco  and 
Meru.B 


Corrections 


■  In  the  news  brief  "Sun  utility  grid  takes  a  hit"  (March  27,  page  8),  a  company 
was  misidentified.  Instead  of  Callidus  Software,  it  should  have  been  Cepstral. 

■  The  story  "20  network-changing  products  in  20  years"  (March  27,  page  33) 
should  have  stated  that  Tony  Li  was  only  a  member  of  the  design  teams  that 
created  both  the  Cisco  12000  and  Juniper  M40  routers. 
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GATEWAY  HELPS  HIGHER  ED  GO  HIGH  TECH 

A  lesson  on  reinventing  learning. 


Gateway  is  helping  to  transform  the  learning  environment 
at  colleges  and  universities  across  the  country.  At  the 
University  of  Tennessee  at  Martin,  professors  thought 
math  and  PCs  were  a  bad  mix  until  discovering  they  could 
handwrite  equations  on  Gateway's  M280-E  Convertible 
Notebook.  And  at  College  of  DuPage,  the  convertible 
notebook  is  replacing  the  chalkboard.  Professors  roam 
freely  in  class,  engaging  students  to  problem  solve  on 
the  tablet  while  wirelessly  projecting  the  information 
for  the  whole  class. 

Colleges  and  universities  everywhere  are  learning  just 
how  invaluable  partnering  with  Gateway  can  be.  With 
a  full  line  of  innovative  technology  like  our  new 
convertible  notebook  powered  by  Intel®  Centrino® 
Mobile  Technology’,  the  E-4500  desktop  and  rackmount 
and  tower  servers  supporting  single-core  or  dual-core 
Intel®  Xeon®  Processors,  Gateway's  helping  to  solve 
challenges  in  all  areas  of  education.  Learn  more  about 
how  Gateway  is  transforming  higher  education  with 
new  technology. 

CALL  1-866-299-2481  OR  VISIT  Gateway.com/TellUs/HED 


Gateway  convertible  notebooks  help  University  of 
Tennessee  at  Martin  put  agriculture  students  in  the 
field  to  study  crops  and  conduct  wildlife  research. 
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College  of  DuPage's  organic  chemistry  class  conducts 
experiments  with  Gateway  convertible  notebooks. 
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Data  protection  to  take  center  stage 


Storage  sampler 

Some  of  the  products  being  introduced  at  Storage 
Networking  World: 

Company  1  Product  What's  new 

Cisco 

MDS  9513  Multi- 
Layer  Director 

528-port  Fibre  Channel  director  switch. 

Creekpath 

Acuity 

Storage  resource  management  software 
for  business  analytics  and  tactical  operation 
management. 

Dell 

AX150  and  AX150i 

Storage  arrays  for  small  and  midsize 
business. 

Hitachi  Data 
Systems 

Tagma  Store 
AMS1000 

4Gbps  Fibre  Channel.  iSCSI  and  network- 
attached  storage  support,  1GB  of  cache 
memory. 

LSI  Logic 

Serial  Attached  SCSI 
switch 

Lets  more  storage  devices  be  connected 
directly  to  host  computers. 

Microsoft  and 
IBM 

iSCSI  software- 
enabled  boot 

Lets  servers  on  an  iSCSI  storage-area 
network  boot  from  the  SAN. 

Sun  StorageTek 

Enterprise  Storage 
Manager 

Includes  business  analytics  software  and 
enhanced  support  for  IBM  DS  arrays  and 
Sun  NAS  devices. 

Astute  Network 

Athens  Storage 

Reduces  utilization  and  power  in  storage 
networks. 

BY  DENI  CONNOR 

Vendors  at  this  week’s  Storage 
Networking  World  conference 
plan  to  show  off  products  that  go 
beyond  storing  data  to  protecting 
it  and  enabling  fast  recovery 

The  San  Diego  event,  one  of  the 
biggest  dedicated  to  storage,  is  ex¬ 
pected  to  attract  some  3,500  peo¬ 
ple  and  will  feature  a  lineup  of 
speakers  from  EMC,  HP  and 
Network  Appliance,  as  well  as 
from  customers  such  as  Nation¬ 
wide  Insurance. 

FalconStor.one  company  sched¬ 
uled  to  reveal  products,  is  adding 
continuous  and  near-continuous 
data  protection  (CDP)  software  to 
its  virtualization  and  virtual  tape 
library  products. 

The  FalconStor  CDP  IPStor  En¬ 
terprise  Edition  software  is 
designed  to  back  up  e-mail,  files 
and  database  applications  contin¬ 
uously  so  data  from  any  point  in 
time  can  be  recovered.  Another 
new  product,  the  CDP  IPStor  Re¬ 
mote  Office  Edition, provides  con¬ 
tinuous  or  periodic  disk  or  file 
protection  for  servers,  worksta¬ 
tions  and  laptops  in  remote 
offices.  FalconStor  also  plans  to  in¬ 
troduce  the  CDP  IPStor  SMB 
Edition, an  appliance  designed  for 
quick  setup  and  priced  starting  at 


$1,000.  Prices  for  the  Enterprise 
and  Remote  Office  versions  start 
at  $15,000. 

“CDP  like  FalconStor’s  gives 
users  an  enormous  amount  of 
granularity  in  their  choice  of 
when  to  pull  back  data,” says  Mike 
Karp,  senior  analyst  for  Enterprise 
Management  Associates.  “Re¬ 
covery  points  can  be  defined 
most  explicitly  The  reason  for  that 
is  that  CDP  is  not  time-based  like 
snapshotting,  but  is  event-based.” 

StorServer’s  EZ  Backup  Appli¬ 
ance  also  is  scheduled  to  debut  at 
the  show;  it  will  be  available  to 
SMBs  through  IBM  resellers  and 
will  be  bundled  with  Tivoli  man¬ 
agement  tools.  The  appliance 
comes  in  three  configurations: 
disk-to-disk,  which  offers  backup 
and  archives  with  optional  tape  or 
disk  for  disaster  recovery;  disk-to- 
tape,  with  backup,  archives,  an 
online  tape  pool  and  disaster 
recovery  to  tape;  and  disk-to-disk- 
to-tape,  which  offers  backup,  ar¬ 
chives,  an  online  pool  of  IBM 
TotalStorage  DS4100  disk  arrays 
and  disaster  recovery  to  tape.  The 
appliances  cost  $5,000  to  $15,000. 

Topio  plans  to  offer  a  similar 
appliance  for  midsize  businesses. 
Code-named  Roadrunner.the  box 
sits  at  a  remote  location,  where  it 


receives  data  replicated  from  a 
primary  site.  The  appliance  and 
storage  connects  to  the  IP  net¬ 
work  and  doesn’t  require  a  like 
device  at  the  primary  site.  It  will 
replicate  data  from  direct- 
attached,  iSCSI  and  storage-area 
networks.  It  will  be  sold  through 


value-added  resellers  priced  start¬ 
ing  at  $100,000. 

Symantec’s  new  PureDisk  soft¬ 
ware  is  designed  to  protect  remote 
offices.  It  costs  $16,000  per  tera¬ 
byte  backed  up.  A  PureDisk  server 
sits  in  the  data  center  and  contin¬ 
uously  and  automatically  backs 


up  servers  in  remote  offices,  elimi¬ 
nating  tape  and  decreasing  an 
office’s  reliance  on  inexperienced 
IT  administrators. 

Enterprise  Storage  Group  esti¬ 
mates  as  much  as  35%  of  a  com¬ 
pany’s  data  resides  in  remote 
offices,  much  of  which  is  not  ade¬ 
quately  protected. 

Also  at  the  show: 

•  WysDM  is  expected  to  launch 
Version  3.5  of  its  backup  reporting 
software,  which  introduces  ser¬ 
vice-level  agreement  mediation. 
WysDM  for  Backups  and  WysDM 
for  File  Servers  are  priced  starting 
at  $15,000  for  50  managed  de¬ 
vices.  Another  vendor,  Avamar, 
plans  to  announce  a  storage  re¬ 
porting  package  it  obtained  from 
WysDM. 

•  Mendocino  Software  is  set  to 
announce  that  its  CDP  software 
will  be  integrated  with  Sybase 
databases  to  create  a  more  flexi¬ 
ble  backup  procedure. 

•  Acopia  plans  to  unveil  a  ver¬ 
sion  of  its  Adaptive  Resource 
Switch  software,  which  has  been 
enhanced  to  include  heteroge¬ 
neous  data  protection  and  replica¬ 
tion  capability,  and  policy-based 
information  life-cycle  manage¬ 
ment  capabilities  and  a  multi-pro¬ 
tocol  global  namespace.H 


SAS 

continued  from  page  1 

few  JBODs  (just  a  bunch  of 
disks)  that  contain  existing 
SAS  or  serial  Advanced  Tech¬ 
nology  Attachment  (SATA) 
disks.  Using  such  a  technol¬ 
ogy  may  let  companies  put 
off  migration  to  iSCSI  net¬ 
works  or  more  expensive 
and  complex  Fibre  Channel 
storage-area  networks 
(SAN). 

“SAS  switching  is  primarily 
a  mid-tier  answer  for  con¬ 
necting  multiple  servers  to 
an  inexpensive  storage  sys¬ 
tem  with  inexpensive  [copper]  infrastruc¬ 
ture,"  says  Randy  Kerns,  an  independent 
storage  analyst.'This  will  be  popular  at  the 
end  of  the  year’’ 

The  components  necessary  for  enabling 
SAS-switched  fabric  networks  consist  of 
servers  that  contain  a  SAS  storage  interface 
—  most  new  x86  servers  do  —  and  a  stor¬ 
age  controller  (the  intelligence  in  the  stor¬ 
age  array)  that  uses  a  chipset  supporting 
SAS.  IBM  and  HP  are  among  the  vendors 


Simpler  storage? 


Serial  Attached  SCSI  switches  provide  small  and  midsize 
businesses  an  alternative  to  networking  their  storage  resources 
via  Fibre  Channel,  iSCSI  or  direct  attachment. 


Host  computers 


that  have  SAS-enabled  their  servers:  the 
xSeries  and  ProLiant,  respectively 

SAS  is  the  replacement  for  the  Ultra320 
SCSI  interface.  Ultra320  SCSI  is  a  parallel 
interface  that  offers  only  14  connections 
between  servers  and  storage  devices.  SAS 
allows  for  as  many  as  128  connections  in 
the  LSI  Logic  implementation. 

LSI  Logic  and  PMC-Sierra  last  year  intro¬ 
duced  switch  chips  for  use  in  storage  con¬ 
trollers,  which  HP  and  IBM  say  they  will 


incorporate  into  controllers  by 
the  end  of  this  year. 

Both  chip  manufacturers 
have  garnered  a  lot  of  atten¬ 
tion  for  their  technologies.  IBM 
says  it  will  use  the  PMC-Sierra 
chipset  for  networking  its 
BladeCenter  servers  to  storage. 
HP  also  has  an  active  cam¬ 
paign  by  SAS-enabling  its 
ProLiant  servers  last  year,  and 
this  year  the  company  claims  it 
will  support  SAS  switching  via 
an  external  switch.  Its  storage 
controllers,  too,  will  have  SAS 
switching  capability 
SAS  should  be  considered  an 
alternative  to  iSCSI  or  Fibre 
Channel  networking,  observers  and  ana¬ 
lysts  say 

“There  is  [a  small  and  midsize  business] 
market  for  SAS-based  switches  for  connec¬ 
tivity  between  servers,  something  the  Fibre 
Channel  and  iSCSI  folks  don’t  want  to  hearf 
says  Greg  Schulz,  analyst  for  StoragelO. 

Fibre  Channel  will  be  necessary  for  dis¬ 
tances  greater  than  about  52  feet,  because 
SAS  supports  only  that  much  space  be¬ 
tween  servers  and  storage.  However,  experi¬ 


enced  and  expensive  IT  help  is  needed  to 
manage,  deploy  and  maintain  Fibre  Chan¬ 
nel  SANs.  Many  customers  who  need  dis¬ 
tance  and  ease  of  use  and  deployment  will 
choose  iSCSI  because  it  operates  like  the 
Gigabit  Ethernet  they  are  accustomed  to. 

For  SMB  customers,  however,  SAS  switch¬ 
ing  will  represent  an  opportunity  for  enlarg¬ 
ing  their  storage  network.  They  have  been 
working  with  SCSI  connections  for  the  past 
20  years  and  are  familiar  with  it.  Being  able 
to  use  existing  and  inexpensive  ATA  or 
SATA  drives  is  attractive  to  them. 

“SAS  could  be  a  more  attractive  data  solu¬ 
tion,  in  that  you  already  have  someone  that 
understands  the  SCSI  protocol,”  says  Levi 
Norman,  group  marketing  manager  at  HP 
“The  management  of  Fibre  Channel  itself 
requires  a  higher  than  average  cost  and 
more  complex  management  experience 
than  many  customers  have  toda/ 

LSI’s  SAS  switch  lets  multiple  storage 
domains  be  configured,  and  is  ideal  for 
rack-mounted  or  workgroup  server  and 
storage  environments.  An  embedded  Web 
server  will  provide  switch  management. 
The  switch  is  expected  to  be  available  from 
system  OEMs  such  as  IBM  and  HP  this 
fall.H 
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GATEWAY®  M280  CONVERTIBLE  NOTEBOOK  -  Intel®  Centrino®  Mobile  Technology1  •  Microsoft®  Windows®  XP 
Tablet  PC  Edition  •  Integrated  Wireless  •  14"  Widescreen  Display  •  Continuous  Sensing  Technology™  •  Up  to 
8.5  Hours  of  Battery  Life2  •  Durable  Magnesium  Frame  and  Hinge  •  Enhanced  Security  •  Managed  Lifecycle 


OUR  TECHNOLOGY  CAN  HELP  YOU  MEET  YOUR  GOALS.  Gateway  is  assisting  schools  in 
meeting  their  one-to-one  computing  initiatives  by  putting  a  tablet  PC  in  the  hands  of 
every  student.  The  innovative  14"  widescreen  M280  convertible  notebook  transforms 
from  a  notebook  into  a  fully  functional  tablet  and  allows  students  to  work  anywhere, 
anytime — thanks  to  up  to  8.5  hours  of  battery  life  and  Intel®  Centrino®  MobileTechnology. 
It's  just  one  of  the  many  technology  solutions  we  offer  to  address  the  needs  of  a  variety 
of  markets,  from  education  to  business  to  government.  At  Gateway  we  know  every 
organization  needs  the  power  to  perform  and  we're  committed  to  providing  a  quality 
lineup  of  products,  services  and  solutions  designed  to  give  yours  the  edge. 


TO  LEARN  MORE  CALL  1-866-531-8297  OR  VISIT  Gateway.com 


“The  Gateway  M280E  Tablet  PC  was  the 
most  innovative  and  easy  to  use  product 
that  we  encountered  this  year.” 

IT  Week,  January  23, 2006 
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LinuxWorld 

continued  from  page  1 

The  focus  is  part  of  a  larger  shift 
in  the  industry  as  enterprises 
look  beyond  the  basic  Linux  ker¬ 
nel.  LinuxWorld,  once  the  do¬ 
main  of  the  “sandal  and  ponytail 
set,”  will  feature  a  new  parallel 
conference  called  Open- 
Solutions  World  designed  to  give 
the  growing  number  of  business- 
focused  attendees  insight  into 
open  source  technologies  higher 
up  the  stack. 

In  addition,  there  will  be  a 
wider  variety  of  sessions,  includ¬ 
ing  the  first-ever  track  focused  on 
mobile  and  embedded  Linux, 
and  a  grid  showcase. 

Perhaps  the  strongest  evidence 
that  Linux  is  becoming  main¬ 
stream  and  is  being  viewed  as  just 
another  component  of  heteroge¬ 
neous  computing  environments: 
For  the  first  time  Microsoft  will 
give  a  LinuxWorld  keynote.  Bill 
Hilf,  Microsoft’s  director  of  plat¬ 
form  technology  strategy  will  talk 
about  integrating  open  source 
and  proprietary  software. 

“The  last  LinuxWorld  in  San 
Francisco  was  where  you  really 
saw  a  spike  in  the  total  focus  fur¬ 
ther  up  the  stack,”  says  Bill 
Weinberg,  senior  analyst  at  Open 
Source  Development  Lab.“Beople 
are  not  choosing  their  platform 
only  on  the  merits  of  the  underly¬ 
ing  operating  system  and  the  ker¬ 
nel,  but  on  the  ability  to  support 
their  workloads.” 

As  a  result,  it’s  not  surprising  to 
see  a  number  of  announcements 
around  virtualization,  a  technol¬ 
ogy  that’s  fast  gaining  adoption  on 
x86  servers  (see  graphic, above). 

With  vendors  looking  to  stan¬ 
dardize  on  a  basic  virtualization 
platform,  enterprises  should  be 
paying  close  attention  to  manage¬ 
ment  tools,  analysts  say  XenSource 
includes  basic  management  capa¬ 
bilities  in  XenEnterprise,  which  it 
plans  to  roll  out  at  the  show.Virtual 
Iron  is  integrating  its  virtualization 
and  policy-based  management 
tools  with  the  Xen  virtualization 
technology  in  Version  3  of  its  soft¬ 
ware  that  also  is  expected  to  be 
unveiled  this  week. 

Another  virtualization  tool  set  to 
launch  at  LinuxWorld  is  SWsoft’s 
Data  Automation  Suite.  The  soft¬ 
ware  can  be  used  to  create  and 
configure  virtual  servers  with 
SWsoft’s  Virtuozzo  virtualization 
software.  The  SWsoft  Data 
Automation  Suite  also  provides  a 
Web  portal  that  lets  IT  managers 


track  virtual  server  utilization 
among  departments  in  an  organi¬ 
zation  to  better  manage  costs,  the 
company  says. 

With  all  the  buzz  around  virtu¬ 
alization  and  VoIBthese  two  tech¬ 
nologies  will  come  together  at 
LinuxWorld.  IBM  and  3Com  plan 
to  announce  a  joint  project  to 
port  3Com’s  Linux-based  VCX  IP 
PBX  platform  to  IBM  System  i 
(aka  AS/400)  mid-range  servers. 
Under  this  partnership,  3Com  is 
porting  the  Session  Initiation 
Protocol-based  VCX  platform  to  a 
Linux  platform  that  can  run  as  a 
partition  on  a  System  i  server. The 
goal  is  to  tap  into  an  installed 
base  of  more  than  40,000  Lotus 
Notes/System  i  users,  and  give  the 
option  of  consolidating  VoIP  and 
messaging  platforms  on  a  single 
box,  IBM  and  3Com  say 

On  the  security  front,  Astaro, 
which  makes  a  Linux-based  fire¬ 
wall/VPN/intrusion-detection  sys¬ 
tem  product,  is  expected  to 
launch  its  Security  Gateway  7  at 
the  show.  New  features  include 
enhanced  QoS  support  for  VoIP 
traffic  flowing  through  the  secu¬ 
rity  device  and  a  more  secure  FTP 
proxy  server  that  requires  no  user 
client  for  connections.  SSL  VPN 
capability  also  is  added,  allowing 
for  remote  access  to  corporate 


Smaller  but  gaining 

Although  Linux  held  just 
1 1  %  of  the  server  operating 
market  in  the  fourth 
quarter  of  2005. . . 


. . .  the  market  for  Linux 
grew  much  faster  quarter 
to  quarter  than  for 
Windows. 


SOUCE:  IDC 


data  via  a  Web  browser. 

Show  organizer  IDG  World  Expo, 
a  sister  company  of  Network 
World ,  says  it  expects  about  8,000 
people  at  the  conference  being 
held  at  the  Boston  Convention 
and  Exhibition  Center.  Some  150 


exhibitors  are  expected  on  the 
40,000-square-foot  show  floor,  in¬ 
cluding  newcomers  such  as  open 
source  content  management 
company  Alfresco  and  open 
source  CRM  vendor  SugarCRM, as 
well  as  Ubuntu  Linux,  a  free  desk¬ 
top  Linux  distribution  that  has 
gained  significant  attention  lately 
A  2005  survey  of  3,300  Linux  users 
by  the  OSDL  showed  Ubuntu  as 
the  most  popular  Linux  distribu¬ 
tion,  with  53%. 

IT  and  PC  computing  compa¬ 
nies  returning  to  the  show  after  a 
hiatus  include  Apple,  along  with 
3Com  and  EMC,  whose  VMware 
division,  a  veteran  of  LinuxWorld, 
will  be  at  the  show  in  a  separate 
booth.  Sun  and  HP  will  not  have 
booths  on  the  show  floor,  though 
both  have  representatives  speak¬ 
ing  at  various  sessions. 

HR  the  market  leader  in  Linux 
server  shipments,  according  to 
IDC,  plans  to  announce  the  first 
offerings  in  its  Open  Source 
Integrated  Portfolio,  which  will 
provide  hardware,  software  and 
services  to  help  customers  de¬ 
ploy  open  source,  commercial 
and  hybrid  applications  on 
Linux,  Unix  and  Windows  — 
another  illustration  of  the  move 
to  look  beyond  an  isolated  view 
of  Linux.  ■ 


Jacada  boosts  call  center  wares 


BY  ANN  BEDNARZ 

Jacada  this  week  is  expected  to  unveil  updated 
versions  of  its  two  contact  center  software  prod¬ 
ucts,  which  are  designed  to  streamline  the  way 
agents  work. 

Jacada’s  Fusion  software  hooks  into  enterprise 
applications  and  tackles  workflow  automation  with 
features  such  as  single  sign-on  and  call  scripting. 
New  inversion  3.0  is  desktop  monitoring  technology 
that  tracks  what  agents  are  doing,  anticipates  next 
steps  and  notifies  managers  if  processes  have  not 
been  followed. 

As  an  integration  platform,  Fusion  uses  Web  ser¬ 
vices  to  extract  the  content  agents  need  to  do  their 
jobs.  Companies  don’t  have  to  alter  their  existing 
business  applications  nor  do  contact  center  agents 
have  to  constantly  navigate  among  multiple  applica¬ 
tions  to  find  the  information  they  need,  says  David 
Holmes,  an  executive  vice  president  at  Jacada. 

Jacada’s  second  product  is  Workspace,  a  thin-client 
application  that  melds  applications  and  content 
agents  need  while  dealing  with  customers.  As  more 
contact  centers  make  use  of  distributed  staff,  includ¬ 
ing  outsourced  and  home-based  agents,  a  browser- 
based  desktop  application  can  simplify  the  process 
of  bringing  new  agents  on  board,  Holmes  says. 

New  in  Workspace  3.0  is  a  universal  agent  feature 
that  automatically  alters  the  tools  and  applications 
displayed  on  an  agent’s  desktop  depending  on  fac¬ 


tors  such  as  where  a  customer  is  calling  from  and 
number  dialed. 

Jacada  is  known  for  its  mainframe  integration  and 
emulation  products,  but  lately  the  vendor  has  shifted 
its  product  development  from  general  connectivity 
wares  to  more  targeted  industry  applications. 

Experience  with  legacy  integration  is  a  plus  for 
Jacada  in  the  contact  center  market,  where  using 
service-oriented  architecture  technology  to 
improve  agent  productivity  is  a  good  fit, says  Sheryl 
Kingstone,  a  director  at  The  Yankee  Group.  “For 
years  we’ve  been  talking  about  providing  a  single 
view  of  the  customer  and  trying  to  consolidate  all 
the  different  departments  and  initiatives  in  the 
contact  center.  But  the  agent  still  has  to  Alt-Tab 
between  different  applications  and  swivel-chair 
between  different  desktops,” Kingstone  says.“It’s  out 
of  control.” 

Convincing  companies  to  work  such  technology 
into  their  contact  center  road  maps  will  be  a  big 
challenge.The  very  large  contact  centers  can’t  get 
past  that  their  Holy  Grail  is  to  rationalize  the  data 
in  their  infrastructures,”  Kingstone  says.  While  it’s 
important  for  the  long  term  to  consolidate  back¬ 
end  systems,  that  shouldn’t  preclude  companies 
from  pursuing  a  more  immediate  fix  for  their  con¬ 
tact  center  woes.  “Build  that  road  map,  but  don’t 
make  your  customer  service  reps  pay  for  it  for  the 
next  three  years.”B 
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Chaos,  now  under 
your  control. 


with  ProLiant  Essentials  Management  Software 

•  Up  to  2  Dual-Core  AMD  Opteron™  200  Series  processors 

•  High  density:  Up  to  96  servers  per  rack 

•  Flexible/Open:  Integrates  with  existing  infrastructure 

•  HP  Systems  Insight  Manager™:  Web-based  networked 
management  through  a  single  console 


HP  PROLIANT  BL35p  BLADE  SERVER 


Rapid  Deployment  Pack:  For  ease  of  deployment  and 
ongoing  provisioning  and  reprovisioning 


HP  BladeSystem  servers  offer  tools  to  help  you  keep  pace  with  fluctuating  demands.  The  HP 


■  Integrated  Cisco  or  Nortel  switch  options 

Save  up  to  $1,200  Instantly  on  the  purchase  of  the 
HP  ProUant  BL35p  Blade  Server.' 


ProLiant  BL35p  Blade  Server  is  designed  to  relieve  some  of  the  stress,  its  AMD  Opteron™ 
processors  offer  dual-processor  power  with  breakthrough  efficiency.  With  management 


features  like  the  Rapid  Deployment  Pack  that  lets  you  deploy  and  redeploy  blades  without 
missing  a  beat,  and  a  single-view,  graphical  user  interface  that  streamlines  monitoring 
and  configuration,  HP  BladeSystem  servers  work  with  you  so  you  don't  have  to  work  so 


HP  STORAGEWORKS  MSA1500cs 


with  StorageWorks  Essentials  Management  Software 

•  Up  to  24TB  of  capacity  (96  250GB  SATA  drives) 

■  Up  to  16TB  of  capacity  (56  300GB  SCSI  drives) 

•  Ability  to  mix  SCSI  and  Serial  ATA  enclosures  for 
greater  flexibility 

•  2GB/1GB  Fibre  connections  to  host 

Get  2TB  of  storage  free  ($2,008.80  value)' 


hard.  And,  bundled  with  the  StorageWorks  MSA1500cs,  you  can  reduce  the  cost  and 
complexity  of  deploying  a  storage  area  network  giving  you  a  better  return  on  investment. 


Save  up  to  $1,200  instantly  on  the  purchase  of  the  HP  ProLiant  BL35p  Blade  Server.1 


SMART  ADVICE  >  SMART  TECHNOLOGY  >  SMART  SERVICES 


AMD 


Opteron 


Call  1-888-223-5441 
Click  hp.com/go/bladesmag49 
Visit  your  local  reseller 


invent 


1 .  Save  up  to  $1,200  instantly  on  the  purchase  of  the  HP  ProLiant  BL35p  Blade  Server.  Offer  valid  through  4/30/06. 2.  Receive  up  to  2TB  of  storage  free  with  purchase  of  HP  StorageWorks  Modular  Smart  Array  1 500cs  devices  Offer  valid  through  4/30/06.  All  offers  available 
from  HP  Direct  and  participating  resellers.  Prices  shown  are  HP  Direct  prices,  are  subject  to  change  and  do  not  include  applicable  state  and  local  sales  tax  or  shipping  to  recipient's  destination.  Reseller  prices  may  vary.  See  Web  site  for  full  details.  Photography  may  not 
accurately  represent  exact  configurations  priced.  Associated  values  represent  HP  published  list  price.  AMD,  the  AMD  Arrow  Logo,  AMD  Opteron  and  combinations  thereof  are  trademarks  of  Advanced  Micro  Devices,  Inc.  ©2006  Hewlett-Packard  Development  Company,  L.P. 
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Dave  securely  managed  servers  in 
,  Chicago  and  St.  Louis  -  without 


leaving  his  daughter’s  recital 


With  the  best-of-breed  security  in  Avocent  DSView"  3  software,  the  world  can  finally  revolve  around  you. 

DSView"  3  software  empowers  you  to  securely  manage  your  entire  data  center  -  even  when  you’re  thousands  of  miles 
away.  Avocent’s  exclusive  security  features,  like  virtual  media  support,  ensure  that  only  authorized  users  can  access  your 
devices.  And  we  extend  secure  access  and  control  to  your  “lights  out”  operations,  too.  Let  others  talk  about  security. 
Only  Avocent  field-proven  security  gives  you  true  peace  of  mind. 


Learn  how  Avocent  can  help  make  your  data  center  more  secure. 

Visit  our  The  Evolving  Data  Center  Web  site  at:  http://www.nww.com/AVC 
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Mu  Security  debuts  with  test  analyzer 


Profile:  Mu  Security 

Location:  Sunnyvale,  Calif.  _ 

Founders:  Ajit  Sancheti,  CEO,  and  Kowsik  Guruswamy,  CTO. 

When:  March  2005 

Employees:  25 

Funding:  $4  million  from  Accel  Partners  and  Benchmark  Capital. 

Product:  Mu-4000  Security  Analyzer  for  discovering  vulnerabilities  in  network  equipment. 

Fun  fact:  Mu  comes  from  the  phrase  "mutating  the  protocols,"  a  shorthand  description  of  how  the  Mu- 
4000  bombards  the  targeted  equipment  in  a  lab  with  hundreds  of  thousands  of  simulated  attacks. 


BY  ELLEN  MESSMER 

This  week  start-up  Mu  Security  makes  its 
debut  with  a  security  analyzer  called  the 
Mu-4000  that  can  probe  and  discover  new 
vulnerabilities  in  a  variety  of  IP-based  net¬ 
work  gear,  including  switches,  routers,  VoIP 
phones, Web  servers  and  firewalls. 

Ajit  Sancheti,  Mu  Security’s  co-founder 
and  CEO, says  the  Mu4000  is  intended  for  a 
test-lab  environment  and  runs  a  probe  on 
network  equipment  before  it’s  deployed. To 
ferret  out  a  the  equipment’s  unknown 
weaknesses,  the  probe  launches  attacks 
that  simulate  possible  hacker  actions. 

“This  is  an  engine  to  generate  millions  of 
unique  attacks,”  says  Sancheti,  who  started 
the  firm  with  CTO  Kowsik  Guruswamy 

The  co-founders  have  worked  together 
since  the  ’90s  when  Guruswamy  was  chief 
architect  and  Sancheti  was  director  of 
product  management  at  OneSecure. 

OneSecure,  a  maker  of  intrusion- 
detection  systems,  was  acquired  by  Net- 
Screen,  which  in  turn  was  acquired  by 
Juniper.  Sancheti  says  he  and  Guruswamy 
decided  to  start  Mu  Security  on  the  premise 
that  there’s  a  need  for  better  tools  to  dis¬ 
cover  vulnerabilities  in  equipment. 

The  Mu4000  process  manipulates  various 
protocols,  including  Border  Gateway 
Protocol,  VolR  Radius  authentication. 
Lightweight  Directory  Access  Protocol, 
HTTP  and  FTPto  examine  how  equipment 
reacts  to  assaults. 

The  Mu4000,  which  starts  at  $30,000,  is  a 
rack-mountable  appliance  that  includes 


Short  Takes 


■  Symantec  this  week  is  expected 
to  announce  IM  Manager  8.0,  the 

first  upgrade  of  the  instant¬ 
messaging  security  product  it  gained 
in  acquiring  IM  Logic  earlier  this  year. 
IM  Manager,  which  runs  on  Microsoft 
Windows  Server  2000  or  2003,  is  a 
gateway  used  to  block  or  allow  all 
forms  of  I  Ms.  Added  functionality 
gives  users  greater  control  in  en¬ 
abling  or  blocking  specific  IM  capabil¬ 
ities,  such  as  the  voice  feature  in 
Google  Talk  or  application  sharing  in 
Microsoft  Office  Communicator. 


four  Gigabit  Ethernet  and  two  serial  ports 
for  access  to  the  targeted  equipment. 

Most  vulnerability-assessment  tools  ana¬ 
lyze  how  software  or  hardware  reacts  to 
known  vulnerabilities.  But  Mu  Security’s 
appliance  is  aimed  at  uncovering  zero-day 
vulnerabilities  —  the  holes  that  generally 
aren’t  known  to  exist. 

Chris  Christiansen,  vice  president  of  secu¬ 
rity  products  and  services  at  1DC,  expects 
Mu  Security  could  have  a  significant 
impact  if  its  tool  gets  widely  deployed. 

“There  are  likely  to  be  numerous  exploit¬ 
able  vulnerabilities  in  field-installed  sys¬ 
tems,  including  database  and  streaming 
media  applications,  routers,  firewalls  and 
network-attached  storage,  that  need  reme¬ 
diation  today?’  Christiansen  says. 

The  Mu-4000  appliance  has  been  in¬ 
stalled  at  20  customer  sites,  including  gov¬ 
ernment  agencies. 

Motorola  late  last  year  started  using  the 
security  analyzer  to  look  for  unknown  vul¬ 
nerabilities  that  might  be  found  in  software 


Worried  about  dealing  with  .doc,  .xls  and 
.ppt  files?  Probably  not  —  but  the  people 
at  OASIS  think  you  should  be.  OASIS  has 
been  at  work  since  2002  building  up  an 
open  alternative  to  proprietary  office  file 
formats  under  its  OpenDocument  Format 
initiative.  But  what  does  it  mean  to  you? 

To  vendors  such  as  Sun,  IBM  and  Novell, 
it  is  something  users  should  write  into 
every  future  office  systems  RFP  Not  a  big 
issue  except  that  the  incumbent  provider 
of  office  software,  Microsoft,  does  not  sup¬ 
port  ODF  and  doesn’t  intend  to  support  it 
in  the  upcoming  Office  12  release. 

If  nothing  else,  the  OASIS  vendors  can 
become  a  thorn  in  the  side  of  Microsoft  if 
they  can  convince  large  users  to  make 
ODF  support  mandatory.  Should  that  be 
the  case,  Microsoft  would  need  to  divert 
development  effort  to  come  up  with  at 
least  a  crude  implementation  for  each  of 
its  MS  Office  suite  programs.  Amusement 


for  Motorola  products  ranging  from  net¬ 
work  equipment  to  handsets. 

“Mu  Security  is  very  innovative,”  says 
Anson  Chen,  corporate  vice  president  and 
general  manager  of  the  global  software 
group  at  Motorola.“Even  when  a  product  is 
close  to  shipping,  we  may  find  something.” 
The  Mu-4000  has  assisted  Motorola  in 
developing  secure  programming  practices. 

If  the  security  analyzer  proves  to  be 


aside,  we  need  to  return  to  the  core  ques- 
tion:“Does  it  matter  to  my  company?” 

Sun  CEO  Scott  McNealy  thinks  it  does.  In 
a  recent  Wall  Street  Journal  op-ed,  he  calls 
on  users  to  rebel  against  the  lock-in  of  an 
unnamed  vendor  and  demand  ODF  for  all. 

He  certainly  makes  some  good  points. 
He  writes  that  by  letting  an  unnamed  com¬ 
pany  based  in  Redmond, Wash. .dictate  file 
standards,  we  could  face  a  situation  in 
which  “in  a  few  short  years  we  may  no 
longer  be  able  to  access  our  files  if  the  for¬ 
mat  is  ‘upgraded.’  Or  we  may  be  required 
to  buy  a  new  expensive  version  of  the  soft¬ 
ware  just  to  access  our  own  thoughts.” 

While  you  have  to  love  the  Orwellian 
overtones,  is  the  situation  that  urgent? 

I  agree  with  the  mission  of  OASIS  and  the 
notion  of  a  document  format  that  can’t  be 
arbitrarily  upgraded  by  a  single  vendor, 
but  I  think  that  the  practical  situation  —  at 
least  today  —  is  not  nearly  as  desperate  as 
we  are  led  to  believe. 

Without  ODRwe  are  told,  there  is  a  barrier 
to  exit  —  meaning  we  can’t  grab  our  docu¬ 
ments  and  transport  them  to  a  system  of 
our  choice.  But  is  that  really  the  case? 

While  there  is  no  disputing  that 
Microsoft  gets  to  dictate  its  file  formats,  it  is 


exceptionally  proficient  at  ferreting  out 
new  vulnerabilities,  the  question  may  arise 
as  to  how  Mu  Security  will  prevent  the  Mu- 
4000  from  being  used  as  an  attack  tool  to 
unearth  weaknesses  in  products. 

“It  is  like  a  loaded  gun,”  says  Sancheti, 
who  adds  that  the  company  is  tracking 
every  device  it  makes  available  with  the 
goal  that  they  be  used  only  for  the 
intended  purpose.  ■ 


equally  true  that  other  vendors  have  fig¬ 
ured  out  ways  not  only  to  read  those  files 
but  also  to  let  them  be  edited  by  non- 
Microsoft  programs  and  passed  back 
unharmed  to  be  used  by  MS  Office  users. 

Most  MS  Office  files  can  be  opened  by 
the  programs  in  the  OpenOffice  suite. 
Word  documents  can  be  opened  and 
manipulated  by  many  non-Microsoft  word 
processing  programs. While  not  all  the  files 
will  come  across  perfectly,  I  don’t  feel  that 
my  work  is  locked  into  Microsoft.  If  I  can 
export  Word  documents  from  Microsoft  in, 
say,  RTF  format,  I  have  fairly  portable  infor¬ 
mation,  even  with  ODF 

Even  ancient  information  almost  always 
has  some  program  to  unlock  it.  I  recently 
found  20-year  old  files  that  were  written 
using  IBM’s  DisplayWrite  software.  Twenty 
minutes  later,  I  had  a  freeware  program  to 
convert  them  to  ASCII  text. 

Sure, put  ODF  on  your  wish  list,  but  above 
all,  balance  your  short-term  and  long-term 
document  needs. 

Tolly  is  president  of  The  Tolly  Group,  a 
strategic  consulting  and  independent  test¬ 
ing  company  in  Boca  Raton,  Fla.  He  can  be 
reached  at  ktolly@tolfy.com. 


OASIS  in  document  desert? 


.INFRASTRUCTURE  LOG 


_DAY  16:  It’s  out  of  control.  It  takes  people  forever  to 
access. . .everything.  We  can’t  get  anything  done.  We’re  so 
inefficient.  There’s  got  to  be  a  better  way. 

_DAY  17:  Gil  says  he’s  found  one:  aerodynamic  bodysuits. 
He  says  everyone  will  be  able  to  work  faster  and  better  now. 

_DAY  21:  I’ve  taken  back  control  with  IBM  WebSphere 
Portal — a  simple  and  fast  start  to  a  service-oriented 
architecture.  It  works  with  what  we  have  and  integrates 
the  apps,  processes  and  info  our  people  need  to  do  their 
jobs  effectively.  Works  with  our  customers  and  suppliers, 
too.  Now  we  have  a  customizable  interface  that  puts 
everything  at  our  fingertips. 

.Productivity  is  up.  Gil  says  that’s  great,  but  he 
refuses  to  take  off  his  suit. 


i  WebSphere. 


Portal 


Download  IBM’s  WebSphere  Portal  ROI  Tool  at: 

IBM.COM/TAKEBACKCONTROL/PORTAL 


We  just  upped  the  ante 

on  Network 

Security 


Secure  Computing  and 
CyberGuard  have 
joined  forces. 

The  stakes  are  high  when  it  comes  to  securing 
your  network. 

With  over  35  years  of  combined  security  expertise. 
Secure  Computing  and  CyberGuard  provide  you 
with  a  whole  new  level  of  protection. 

From  the  core  to  the  edge,  we  help  over  17,000 
customers  protect  their  most  sensitive  information. 
We  can  protect  yours,  too. 


Call  us  today  to  learn  how  we  can  help  stack 
the  odds  in  your  favor. 


S  ECULR  E* 

COMPUTING 

Visit  us  at:  www.securecomputing.com/anteup 


CYBERGUARD' 


We  develop  leading  security  products  in  the  areas  of  Sidewinder  G2®  SnapGear™  SmartFilter® 

Firewall/VPN,  Secure  Content  Management,  and 

Strong  Authentication.  CyberGuard®  TSP  Webwasher®  SafeWord® 


For  more  information, contact  Secure  Computing  Corporation  at:  Toll  Free: +1.800.692.5625  ‘Tel: +1.408.979.61 00 
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College’s  push  to  virtualize  its  servers  is  paying  off 


The  virtues  of  virtualization 


Bowdoin  College  cut  servers  by  one-third  by  virtualizing  its  cramped  data 
center.  Today  nearly  60%  of  its  applications  run  on  virtual  servers. 


Shelf  of  HP  BL20  blade  servers, 
flanked  by  two  gigabit  switches, 
cross-connected  for  redundancy. 


Each  blade  runs 
VMware  ESX  Server 
virtualization  software. 


Each  VMware  ESX  Server  hosts  several 
virtual  machines,  each  one  running  a 
Windows  or  Linux  application. 


BY  JOHN  COX 

y  investing  in  virtualization  soft¬ 
ware,  a  small  Maine  college  elimi¬ 
nated  about  one-third  of  its  physi¬ 
cal  servers  and  sidestepped  about 
$356,000  for  new  systems,  even  as  it 
added  enterprise  applications. 

The  server  consolidation  at  Bowdoin 
College,  in  Brunswick,  grew  out  of  a  lim¬ 
ited  test  of  ESX  Server,  virtualization  soft¬ 
ware  from  EMC  subsidiary  VMware. 
Initially,  the  IT  group  wanted  to  use  the 
software  to  create  virtual  servers  that 
could  be  dedicated  to  testing  new  or  up¬ 
graded  applications  before  they  were  de¬ 
ployed  in  full  production  mode. 

Two  years  ago  the  IT  group  launched  a 
trial  deployment.  The  ESX  software  is  in 
charge  of  the  physical  computing  re¬ 
sources  —  CPU  cycles,  memory,  disk 
space  —  and  allocates  these  in  response 
to  application  demands.The  applications 
run  in  virtual  machines,  self-contained 
software  bubbles  with  a  claim  to  the 
underlying  CPU  resources  on  the  blade. 

“It’s  kind  of  like  the  old  mainframe 
model,  where  each  user’s  job  got  a  slice  of 
the  CPU’s  time,”  says  Tim  Antonowicz, 
Bowdoin’s  systems  administrator. 
“VMware  ESX  Server  does  the  same  thing 
with  the  virtual  machines:  It  drops  a  VM 
onto  the  blade  server  hardware,  runs  the 


cycles  it  needs  and  then  [drops  on]  the 
next  one, cycling  through  all  of  them.”The 
virtual  machines  are  exploiting  what  pre¬ 
viously  would  have  been  idle  CPU  cycles. 
As  Bowdoin  discovered,  applications 
now  can  run  on  fewer  physical  servers. 
Virtual  machines  can  be  created  within 
minutes  or  allocated  additional  virtual 
memory  or  disk  space  with  a  few  mouse 
clicks.  A  new  application  can  be  safely 
tested,  or  an  old  one  modified,  on  one  or 
more  dedicated  virtual  machines  and 


then  deployed  quickly 
These  virtualization  virtues  became 
apparent  in  late  2004,  as  Bowdoin’s  infra¬ 
structure  was  stretched  to  the  limit.  The 
small  data  center  was  jammed  with  five 
racks  of  servers,  and  many  of  them  sat 
idle  for  most  of  the  day  At  the  same  time, 
Mitchell  Davis,  the  college’s  first  CIO,  was 
planning  to  rewire  the  campus  for  Gigabit 
Ethernet  and  to  deploy  application  up¬ 
grades  to  serve  about  1,600  students,  179 
faculty  and  600  staff. 


The  new  financial  system,  Blackbaud’s 
Financial  Edge,  would  need  10  to  16  new 
servers  to  support  the  configuration. 

“The  IT  staff  came  to  me  and  said, ‘We 
think  we  can  deploy  everything  on 
VMware,’  ”  Davis  recalls.  Bowdoin  bought 
15  HP  BL20  blade  servers.  Eight  blades 
run  ESX  Server  instances,  with  a  ninth 
instance  running  on  a  Dell  server.  The  IT 
staff  was  able  to  reduce  the  number  of 
physical  servers  from  72  to  46  (including 
the  15  HP  blades). 

Today,  Davis  says  58%  of  Bowdoin’s 
applications  run  on  virtualized  servers. 
The  15  HP  blade  servers  cost  $93,000. 
VMware’s  ESX  pricing  for  the  education 
market  is  $3,000  per  server,  which  can 
each  support  multiple  virtual  machines, 
for  a  total  of  $27,000. 

Antonowicz  says  that  to  support  the  new 
applications  deployed, 57  additional  phys¬ 
ical  servers  would  have  been  needed.  But 
as  a  result  of  using  virtualized  servers, 
Bowdoin  bought  none  apart  from  the 
blades.  Antonowicz  estimates  the  57 
boxes  would  have  cost  $356,250. 

Monitoring  and  managing  the  new  serv¬ 
er  environment  has  been  dramatically 
streamlined. “I  can  add  memory  increase 
a  hard  drive,  add  a  second  CPU  or  net¬ 
work  card,  all  from  a  secure  VMware  Web 
interface,”  Antonowicz  says.  ■ 


NetXen  10-Gig  adapters  to  boost  server  speed 


Profile:  NetXen 

Based:  Santa  Clara,  Calif. 

Founded:  February  2002 

Primary  product:  Programmable  multiprotocol  network  adapter  for  industry-standard  servers. 
Founder:  Govind  Kizhepat,  formerly  CEO  and  founder  of  iCompression. 

Key  customers:  IBM.  HP 

Funding:  S14.6  million  from  Accel  Partners,  Benchmark  Capital  and  Integral  Capital  Partners. 


BY  DENI  CONNOR 

NetXen  last  week  launched  multiproto¬ 
col  network  adapters  designed  to  speed 
processing  by  as  much  as  a  factor  of  10 
and  reduce  power  requirements  for  x86- 
based  servers  by  as  much  as  50%. 

The  vendor’s  lOGbps  Intelligent  network 
interface  cards  (NIC),  which  will  be  sold 
through  OEMs,  initially  are  expected  to  be 
available  in  IBM  xSeries  and  BladeCenter 
High  Performance  System  and  HP  Proliant 
and  BladeSystem  servers. 

“NetXen  is  the  first  lOG-bit  product  to  be 
integrated  into  a  mainstream  server, so  that 
marks  a  turning  point  in  lOG-bit  Ethernet,” 
says  Bob  Wheeler,  senior  analyst  for  the 


Linley  Group.“It  is  also  the  first  single-chip 
solution  for  PCI-Express.” 

The  Intelligent  NICs  speed  performance 
partly  by  offloading  the  processing  of  TCP 
iSCSI  and  Remote  Direct  Memory  Access 
(RDMA)  from  server  CPUs.  NetXen  is  a 
member  of  the  OpenRDMA  Project,  an 
organization  developing  applications  opti¬ 
mized  for  RDMA. 

The  dual-port,  PCI-Express  adapters  sup¬ 
port  hot-code  load  and  are  software-  and 
firmware-upgradeable,  which  means  they 
can  assume  new  capabilities  and  proto¬ 
cols  as  needed. 

The  Intelligent  NICs  compete  with  com¬ 
modity  adapters  from  Neterion  (formerly 


S210)  and  NetEffect,  whose  offerings  also 
provide  high-performance  and  concur¬ 
rent  access  to  servers,  networks  or  storage. 
Neterion  XFrame  II  adapters,  which  do  not 


use  single-chip  PCI-Express,  also  are  used 
in  IBM’s  PCI-Express-based  xSeries  servers. 

NetXen’s  Intelligent  NICs  are  available  to 
system  OEMs  starting  at  $600.  ■ 
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NEXT-GENERATION  SERVERS 


Early  adopters  laud  multicore  systems 


BY  JENNIFER  MEARS 

lightAware’s  business  is  soaring.  In  the 
year  since  its  launch,  the  company 
that  tracks  private  and  commercial  air 
traffic  in  the  United  States  has  been  serv¬ 
ing  up  about  half  a  million  requests  a  day 
with  demand  doubling  every  few  weeks. 

It’s  a  huge  load  for  the  small  Houston 
company  and  one  that  required  its 
founders  to  think  creatively  when  it  came 
to  building  out  the  infrastructure  to  sup¬ 
port  its  rapid  growth.  One  innovative 
move:  FlightAware  last  summer  became 
an  early  adopter  of  new  dual-core  x86- 
based  servers. 

“All  the  TV  networks  turn  to  FlightAware 
to  track  flights  whenever  there  are  aviation 
incidents,  which  poses  a  problem  for  us, 
because  it’s  a  phenomenal  amount  of 
load ’’says  Daniel  Baker,  FlightAware’s  CEO. 

By  moving  its  two  BostgreSQL  databases 
from  Intel  Pentium  4  systems  and  onto 
64-bit  capable,  dual-core  Opteron-based 
servers,  FlightAware  can  handle  huge 
spikes  in  traffic  without  increasing  its  num¬ 
ber  of  servers. 

“So  while  our  load  doubles  every  few 
weeks,  our  performance  stays  about  the 
same,”  Baker  says.  “I  consider  the  fact  we 
haven’t  had  a  decrease  in  performance  a 
win.” 

Dual-core  processors  are  the  first  wave  in 
an  industry  move  toward  multicore  chip 
designs  as  a  way  to  get  around  heat  and 
power  issues  associated  with  faster- 
running  processors.  Rather  than  pumping 
up  clock  speed,  these  chips  squeeze  multi¬ 
ple  processing  engines  on  a  single  piece 
of  silicon,  enabling  more  work  to  be  done 
at  lower  clock  speeds  and  with  less  heat 
output  and  lower  power  demands.  These 
chips  are  also  multithreaded,  meaning  that 
they  can  simultaneously  handle  multiple 
application  instructions. 

While  IBM  has  had  a  dual-core  processor 
since  2001,  an  industrywide  shift  is  only 
now  beginning.  Sun  and  HP  introduced 
dual-core  Unix  processors  in  2004, and  last 
year  Intel  and  Advanced  Micro  Devices 
(AMD)  moved  x86  servers  into  the  multi¬ 
core  arena  with  dual-core  Opteron  and 
Xeon  processors.  Sun  began  shipping  an 
eight-core  UltraSPARC  server  at  the  end  of 
last  year,  and  start-ups  such  as  Azul 
Systems  are  designing  their  own  multicore 
systems.  Intel  and  AMD  both  say  they  will 
have  quad-core  processors  shipping  by 
early  next  year. 

Analysts  say  initial  interest  in  multicore 


Seeing  double 

Duai-core  and  multicore  processors 
offer  more  processing  power  in 
energy-efficient  packages.Things  to 
consider  when  deploying  them: 

•  Independent  Software  Vendor  impact: 

Progress  has  been  made,  but  ISVs  are  still 
feeling  their  way  when  it  comes  to  licensing 
on  multicore  systems.  Make  sure  you 
understand  what  the  costs  will  be. 

•  Application  applicability:  All  applications  and 
operating  systems  are  not  yet  tuned  for  the 
new  multicore  platforms.  Figure  out  which 
applications  will  see  the  biggest  performance 
boost  -  such  as  those  with  compute-intensive, 
number-crunching  workloads  —  and  start 
your  migration  with  those. 

•  Single  point  of  failure:  Consolidating  multiple 
workloads  on  a  single  physical  system  can 
mean  trouble  if  there  is  a  glitch.  Provide 
redundancy  to  avoid  problems. 

•  Bothersome  bottlenecks:  With  more 
processing  engines  working  in  a  single  socket, 
the  transfer  of  data  between  memory,  I/O  and 
other  CPUs  can  get  bogged  down.  Make  sure 
you  know  how  the  multicore  chip  is  designed 
to  handle  this  issue. 


servers  focuses  on  the  fact  that  they  pro¬ 
vide  more  power  in  smaller  —  and  fewer 
— packages,  resulting  in  easier  manage¬ 
ment,  less  cabling,  lower  power  demands 
and  reduced  heat  output.  According  to 
IDC,  nearly  one-quarter  of  the  $12.5  billion 
spent  on  servers  in  the  third  quarter  of  last 
year  was  spent  on  dual-core  systems.  In  the 
fourth  quarter,  spending  on  AMD-  and 
Intel-based  dual-core  systems  more  than 
doubled,  compared  with  the  previous 
quarter,  IDC  says. 

While  adoption  is  steady  as  with  any  tran¬ 
sition,  there  are  growing  pains.  One  of  the 
biggest  issues  has  been  how  “per  CPU”  soft¬ 
ware  will  be  licensed  as  the  definition  of  a 
CPU  is  muddied  with  multiple  processing 
units  fitting  into  a  single  CPU  socket. 

Independent  software  vendors  have 
made  progress  during  the  past  year  with 
plans  to  either  charge  per  socket,  which 
Microsoft  and  VMware  are  doing,  or  to 
charge  a  small  premium  for  multicore 
systems.  Oracle,  for  example,  has  menu¬ 
like  pricing  for  the  different  multicore 
platforms,  considering  each  x86  core  as  a 
half  a  processor  for  licensing  purposes 
and  each  core  on  Sun’s  eight-core 


UltraSPARC  T-l  chip  as  a  quarter  of  a 
processor,  for  example. 

Nevertheless,  most  early  adopters  are 
running  open  source  or  custom-built  soft¬ 
ware  on  these  multicore  servers,  making 
licensing  a  non-issue,  at  least  for  now. 
Ironing  out  the  licensing  tangle  to  make  it 
easier  for  IT  buyers  to  understand  the 
costs  associated  with  multicore  servers 
should  result  in  more  widespread  adop¬ 
tion,  analysts  say. 

There  is  movement  in  that  direction.  HP 
and  Novell,  for  example,  late  last  year  an¬ 
nounced  a  hardware-software  bundling 
package  that  enables  customers  to  buy 
SuSE  Linux  licenses  based  on  the  num¬ 
ber  of  servers,  regardless  of  whether  they 
are  single-  or  dual-core  and  regardless  of 
the  number  of  virtualized  images  that 
might  be  running  within  the  physical 
machine. 

Another  issue  is  that  while  some  appli¬ 
cations,  such  as  those  written  in  Java,  are 
designed  to  take  advantage  of  multi¬ 
threaded  environments,  others  aren’t, 
meaning  they  can’t  take  full  advantage  of 
the  new  architecture. 

“But  today  you  won’t  be  losing  a  step 
with  dual-core,  just  like  [the  x86]  64-bit 
processors  will  run  32-bit  applications 
fine  and  dandyfsays  Charles  King,  princi¬ 
pal  analyst  with  Pund-IT.“It’s  not  going  to 
cut  down  performance;  it’s  just  you  won’t 
be  able  to  take  full  advantage  of  the  plat¬ 
form  until  optimized  operating  systems 
and  applications  are  available.” 

Matthias  Schorer,  chief  architect  at 
Fiducia  IT  in  Munich, says  updates  to  Java 
and  Solaris  made  his  company’s  Java- 
based  application  run  even  better  on 
Sun’s  new  eight-core  Sun  Fire  T2000 
servers,  code-named  Niagara.  The  com¬ 
pany  provides  infrastructure  services  to 
about  900  banks  in  Germany,  supporting 
some  100,000  workstations  and  20,000 
automated  teller  machines. 

The  company  runs  more  than  800  sin¬ 
gle-core  UltraSPARC-based  systems  but 
plans  to  make  a  transition  to  the  T2000. 

“You  have  to  use  the  right  Java  virtual 
machine.  We  saw  double  the  throughput” 
when  compared  to  the  less-optimized 
version  of  Java,  Schorer  says.“Sun  has  put 
a  lot  of  effort  into  optimizing  Java  for 
Solaris  10  to  run  smoothly  on  Niagara.” 

In  addition  to  the  performance 
increase,  Schorer  likes  the  multicore 
design  of  the  T2000  because  of  the  ability 
to  reduce  space  and  lower  heat  output 


and  power  demands.  His  current 
UltraSPARC  servers  consume  about 
1.3  kilowatts  per  hour  compared  with 
0.35  kilowatts  per  hour  for  Niagara 
servers,  he  says. 

“That’s  a  big  thing  given  the  fact  that  we 
could  replace  four  [UltraSPARC  servers] 
with  one  Niagara,”  he  says. 

Stephen  Smith,  manager  of  automation 
and  systems  integration  at  Starz  Entertain¬ 
ment  Group  in  Englewood,  Colo.,  liked 
the  performance  boost  his  digital  encod¬ 
ing  application  got  with  dual-core 
Opteron-based  servers  from  HP  By  shift¬ 
ing  from  single-core  Xeon  servers  to  the 
dual-core  boxes,  Smith  saved  on  hard¬ 
ware  by  reducing  the  number  of  servers 
he  needed  by  four.  In  addition,  he  cut 
costs  on  cabling,  drives  and  other  items 
associated  with  single  servers. 

“Every  machine  that  needs  to  be  able  to 
talk  to  the  storage  needs  two  Fibre 
Channel  HBAs, space  on  the  blades  of  the 
Fibre  switch,  the  actual  switch  itself  and 
the  ports  going  in  to  the  storage.  Plus  all 
of  the  software  licensees  that  go  on  top  of 
that,”  he  says.  “We  reduced  our  costs  by 
more  than  a  quarter  by  going  with  the 
AMD-powered  systems.” 

A  downside  is  that  consolidating  multi¬ 
ple  servers  onto  fewer  boxes  can  create  a 
single  point  of  failure,  early  adopters  say. 

“Absolutely,  you  get  easier  management 
with  dual-core  servers,  but  that  has  down¬ 
sides,  too,”  FlightAware’s  Baker  says.“If  one 
of  them  goes  down, you’ve  lost  that  much 
more  of  your  capacity” 

As  a  result,  FlightAware  is  taking  its 
move  into  the  dual-core  world  slowly,  run¬ 
ning  only  its  databases  on  that  platform. 
The  front-end  servers,  which  include  Web 
servers  and  a  server  that  generates  the 
maps  charting  an  airplane’s  progress 
toward  its  destination,  run  on  single-core 
Opteron  systems. 

“So  if  they  do  fail,  it’s  less  of  a  percent¬ 
age  of  our  total  capacity  he  says. 
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F  YOU’RE  CONSIDERING  VOICE  OVER  IP  TELEPHONY,  CONSIDER  YOUR  OPTIONS: 
ONLY  FOUNDRY  NETWORKS  GIVES  YOU  A  TRUE  VENDOR  AGNOSTIC  SOLUTION  THAT 


Fasti ron  SuperX 


WORKS  WITH  THE  EQUIPMENT  YOU  CHOOSE  -  OR  ALREADY  HAVE.  SO  WHETHER 

YOU’RE  USING  AVAYA,  SIEMENS,  CISCO  OR  NORTEL,  FOUNDRY  NETWORKS  GIVES 
VOICE  TO  YOUR  NETWORK! 


INTEROP 


Foundry’s  integrated  Power  over  Ethernet-  and  Quality  of  Service-based  switches  deliver  the  most  scalable,  secure  VoIP 
architecture,  with  the  lowest  latency  and  highest  performance  for  both  wired  and  wireless  IP  telephony.  Foundry  sup¬ 
ports  all  the  VoIP  features  you  need,  including  automatic  phone  discovery,  embedded  endpoint  security,  dynamic  L2-3 
QoS  support  and  wireless  mobility.  And  only  Foundry  lets  you  select  best-of-breed  or  low-cost  IP  phones,  conferencing, 
PBX,  and  voice/ media  gateway  solutions  and  be  assured  of  full  compatibility. 
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Want  VoiP?  Get  Foundry.  No  Compromise. 

Visit  us  Today  at  www.foundrynetworks.com/voip 

or  call  US:  l  BBS  Turbolan  international:  +1  408,586. 1  700 

Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solu¬ 
tions  including  Layer  2/3  LAN  switches. 
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gfGETTHE  FACTS. 

TELEFLORA  CHOSE  WINDOWS  SERVER 
OVER  LINUX  AND  UNIX,  AND  SAVED  35% 
IN  DEVELOPMENT  COSTS. 


"Developing  our  new  POS  system  on  Windows 
Server™  2003  and  .NET  cost  us  35%  less  than 
a  Linux  or  UNIX  solution,  and  we're  able  to 
deploy  new  features  and  new  services  twice 
as  fast.  That  gives  us  and  our  25,000  florist 
customers,  a  crucial  advantage  in  our  rapidly 
changing  industry." 

-Jim  sipion,  evp/cto  teleflora. 


For  these  and  other  third-party  findings,  go  to 
microsoft.com/getthefacts 
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APPLICATION  SERVICES 

CRM  I  MESSAGING/COLLABORATION  R  WEB  SERVICES  f  ERP  R  E-COM  R  NETWORK  AND  SYSTEMS  MANAGEMENT 


Short  Takes 


H  JBOSS  last  week  released  a  mes¬ 
saging  system  it  hopes  will  extend  the 
reach  of  its  open  source  enterprise 
middleware  platform  into  the  high 
end  of  the  market.  It  also  announced 
a  new  open  source  Web  server.  The 
JBoss  Messaging  1.0  component  is 
available  as  a  stand-alone  product;  it 
is  to  become  the  foundation  for 
JBoss  ESB  1.0,  the  company’s  Ent¬ 
erprise  Service  Bus  project,  expected 
to  be  out  later  this  year.  JBoss  also 
will  make  JBoss  Messaging  the 
default  Java  Message  Service  (JMS) 
technology  in  JBoss  Application 
Server  5.0,  also  expected  to  be 
released  later  this  year.  Applications 
designed  for  JBossMQ,  the  JMS  sys¬ 
tem  built  into  the  existing  version  of 
JBoss  Application  Server,  will  run 
unchanged  on  JBoss  Messaging  1.0, 
the  company  says.  A  preliminary  ver¬ 
sion  of  the  JBoss  Web  1.0  Web  server 
is  available,  and  JBoss  says  it  expects 
to  release  a  production  version  in 
June.  Built  on  the  Apache  Tomcat 
container  for  Java  Server  Pages  and 
Java  Servlets,  JBoss  Web  can  handle 
more  than  10,000  concurrent  connec¬ 
tions,  the  company  says.  The  two 
packages  are  free  to  download  and 
use  under  the  open  source  license. 

■  Delivery  of  Mendocino,  the  joint 
integration  product  from  Microsoft 
and  SAP,  won't  be  affected  by  the 
delay  in  Microsoft's  next  Office  pro¬ 
ductivity  suite,  an  SAP  spokes¬ 
woman  said  last  week.  Mendocino 
will  ship  as  scheduled  toward  the 
end  of  the  second  quarter,  according 
to  SAP.  "Our  first  joint  product  will 
be  based  on  Microsoft  Office  2003 
and  as  such,  won't  be  affected  by 
any  delays  with  the  new  Office  ver¬ 
sion,”  she  said.  Microsoft  recently 
said  it  would  push  back  the  broad 
availability  of  its  new  Vista  operating 
system  and  its  Office  2007  produc¬ 
tivity  suite  until  next  year.  Both  prod¬ 
ucts  are  expected  to  be  available  to 
business  customers  by  year-end 
through  Microsoft's  volume  licensing 
program,  but  they  will  not  be  sold  to 
consumers  until  January  2007, 
according  to  the  company. 


UG  Berkeley  upgrades  voice 


BY  ANN  BEDNARZ 

University  of  California,  Berkeley  eked  all 
it  could  from  its  legacy  voice  mail  system 
—  and  then  some. 

Even  after  Unisys  dropped  support  in 
2001  for  the  university's  Digital  Sound  voice 
mail  system,  it  located  a  third-party  vendor 
willing  to  keep  the  system  alive  with  com¬ 
ponents  found  on  eBay  and  salvaged  from 
other  retired  systems.'They  weren’t  making 
any  new  parts  or  upgrading  the  operating 
system.  It  was  a  very  closed  system,”  says 
Terri  Kouba,  a  systems  developer  in  UC 
Berkeley’s  communications  and  network 
services  department.  “But  it  was  main¬ 
tained.” 

The  university  knew  the  fix  was  tempo¬ 
rary  and  started  looking  for  a  replacement 
to  provide  basic  voice  mail  functionality 
and  unified  messaging.  None  of  the  avail¬ 
able  unified  messaging  products  won  them 
over. “The  industry  really  wasn’t  ready  for  a 
system  of  our  scale  at  that  point,”  Kouba 
says. 

UC  Berkeley  gave  it  another  shot  in  2004 
and  found  the  vendors  were  better 


equipped  to  handle  a  rollout  to  tens  of 
thousands  of  users.  After  a  lengthy  review 
process,  the  university  chose  Interactive 
Intelligence  and  licensed  its  Communite 
unified  communications  software  last  year. 

Communite  supports  a  unified  in-box  so 
users  can  browse  and  open  e-mail,  voice 
mail  and  fax  messages  from  a  single  inter¬ 
face.  The  system  also  lets  users  retrieve 
voice,  fax  and  e-mail  messages  from  multi¬ 
ple  devices,  including  desktop  PCs,  wireless 
handhelds  or  cell  phones. 

Unified  messaging  helps  break  down 
some  of  the  walls  between  voice  mail  and 
e-mail  and  connects  the  message  streams, 
Kouba  says.  In  the  past,  people  tended  to 
reply  to  voice  mails  with  another  voice  call 
and  to  e-mails  with  another  e-mail  mes¬ 
sage.  “Now,  if  someone  sends  me  an  e-mail 
and  I’m  listening  to  my  e-mail  over  the  tele¬ 
phone,  I  can  reply  to  that  with  a  voice  mail 
attachment,”  Kouba  says.  The  sender  gets 
back  the  original  e-mail  message  with  a 
small  .wav  attachment.“No  matter  how  you 
send  me  information,  1  can  reply  or  com¬ 
municate  in  the  way  that  I  want  to.” 


Call-screening  features  tell  users  who’s 
calling  before  a  call  is  accepted,  and  fol- 
low-me/find-me  technology  lets  users  set 
precise  call-handling  rules  —  specifying, 
for  example,  which  callers  to  send  to  voice 
mail  and  which  to  forward  to  certain  alter¬ 
native  numbers.  Users  also  can  opt  to  be 
alerted  by  Short  Message  Service  if  parties 
leave  a  voice  mail  message. 

Into  production 

UC  Berkeley  started  its  implementation 
last  October  with  a  pilot  group.  To  drum 
up  interest  in  the  new  technology,  the  IT 
group  asked  for  volunteers  from  different 
campus  departments.  Getting  volunteers 
excited  about  the  new  system  —  and  talk¬ 
ing  it  up  to  their  co-workers  —  was  one  of 
the  smartest  things  the  university  did, 
Kouba  says. 

The  pilot  allowed  Kouba’s  group  to  test 
the  application  under  real-world  condi¬ 
tions.  “One  of  the  things  that  we  can’t  do 
very  well  on  the  telephony  side  in  a  devel¬ 
opment  or  test  environment  is  test-load,” 
See  Berkeley,  page  26 


Upgrading  campus  communications 

The  University  of  California,  Berkeley,  traded  its  aged  voice  mail  system  fora  unified  messaging  platform  from  Interactive 
Intelligence  that  lets  users  streamline  handling  of  voice,  e-mail  and  fax  messages. 


UC  Berkeley  tied  the  Interactive  Intelligence  Communite  software  to  several  of  the  university's  existing  IT 
systems,  including  its  e-mail  system,  iPlanet  LDAP  directory,  storage  area  network  (SAN)  and  Kerberos. 


Campus  users  can  sort  and  open  e-mail,  voice  mail 
and  fax  messages  from  an  e-mail  in-box  or  browser. 


Inbound  call  information  is 
received,  the  Communite 
software  checks  the  rules, 
and  the  call  is  routed  back 
to  the  central  office  for 
telephone  delivery  or  to  a 
message  center  for 
messaging. 
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Users  can  configure  call-routing  rules  that  direct  certain 
callers  to  voice  mail  and  others  to  alternative  phone  numbers 
if  the  campus  phone  is  not  answered.  Call  screening  features 
tell  users  who's  calling  before  a  call  is  accepted. 
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Remote  users  can  receive  calls  and  manage 
messages  via  laptops  and  handheld  devices. 
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Microsoft  team  delays,  threat 


NET  INSIDER 

Scott  Bradner 


Over  three  days  recently, 
Microsoft  delayed  two  major 
products  and,  perhaps  to  com¬ 
pensate,  hinted  that  it  just  might 
join  The  SCO  Group  in  trying  to 
sue  Linux  out  of  existence. 

On  March  21  Microsoft  an¬ 
nounced  that  the  consumer  ver¬ 
sion  of  Windows  Vista  would  be 
pushed  back  a  few  months  to 
early  2007,  from  late  2006.  Two 
days  later  CEO  Steve  Ballmer  hint¬ 
ed  to  Forbes.com  that  Microsoft 
might  sue  someone  over  Linux 
violating  Microsoft’s  intellectual 
property  The  next  day  Microsoft 
made  sure  that  the  consumer  ver¬ 
sion  of  Office  2007  was  not  mis¬ 
named  by  also  delaying  it  until 


early  2007. 

Delaying  new  versions  of  soft¬ 
ware  has  become  a  Microsoft 
specialty,  so  these  new  delays 
should  not  be  all  that  surprising 
or  alarming.  A  number  of  pundits 
have  gone  into  a  minifrenzy  spec¬ 
ulating  about  the  competitive 
impact  of  the  delays  on  the 
efforts  of  Google,  Yahoo  and  oth¬ 
ers  to  supplant  Microsoft  prod¬ 
ucts  in  one  area  or  another. 
Microsoft’s  Windows  manage¬ 
ment  shake-up,  announced  the 
same  day  that  the  Forbes  inter¬ 
view  ran,  has  increased  the  vol¬ 
ume  of  pundits’  twittering. 

On  the  anti-Linux  front,  Ballmer 
did  not  actually  say  that  Mic¬ 
rosoft  was  priming  its  lawyers, but 
did  hint  strongly  at  that  possibili¬ 
ty.  Forbes.com  asked  Ballmer, 
“You  mention  intellectual  prop¬ 
erty.  What’s  going  on  in  terms  of 
Microsoft  IP  showing  up  in 
Linux?  And  what  are  you  going  to 


do  about  it?”  Ballmer’s  answer: 
“Well,  1  think  there  are  experts 
who  claim  Linux  violates  our 
intellectual  property.  I’m  not 
going  to  comment.  But  to  the 
degree  that’s  the  case,  of  course 
we  owe  it  to  our  shareholders  to 
have  a  strategy”  (See  www. 
nwdocfinder.com/2826.) 

This  is  not  the  first  time  that 
Microsoft  has  tried  to  sell  its 
products  by  inducing  FUD  about 
intellectual-property  rights.  (See 
“Quality  of  threats  rather  than 
quality  of  software,”  www.nw 
docfinder.com/2827.)  Still,  it’s  sad 
when  a  company  with  more  mar¬ 
ket  share  than  gravity  and  more 
money  than  King  Midas  ever 
dreamed  of  plots  a  corporate 
strategy  based  on  attacking  the 
competition  with  FUD  rather 
than  first-class  products. 

Maybe  Ballmer  felt  that  tossing  a 
little  FUD  would  keep  customers 
from  looking  at  alternatives  dur¬ 


ing  the  latest  product  delay  Not  all 
companies  with  a  lot  of  intellec¬ 
tual-property  rights  resort  to  simi¬ 
lar  tactics,  however.  For  example, 
see  Cisco’s  statement  to  the  IETF 
concerning  one  of  its  patent 
applications  (www.nwdocfinder. 
com/2828). That  statement  says, in 
essence,  if  you  do  not  sue  us,  we 
will  not  sue  you,  but  even  if  you 
do  sue,  you  can  still  license  the 
technology  for  a  fee. 

This  is  not  to  say  that  all  patents 
should  be  treated  as  Cisco  did.  If 
a  company  has  spent  billions  of 
dollars  innovating,  it  deserves  to 
be  able  to  profit  from  its  invest¬ 
ment,  get  money  from  others 
who  use  the  patent  or  stop  others 
from  using  the  technology  to 
compete  —  at  least  for  a  while. 
Not  all  patents  fit  this  descrip¬ 
tion:  see,  for  example,  U.S.  patents 
5,443,036  and  6,368,227  (plug  in 
the  numbers  at  www.nwdocfind 
er.com/2829). 


Things  may  be  changing  on  the 
patent  front.  In  mid-March  the  U.S. 
Supreme  Court  heard  an  impor¬ 
tant  case  concerning  what  can  be 
patented,  and  soon  will  hear 
another  concerning  when  injunc¬ 
tions  can  be  employed  to  stop  oth¬ 
ers  using  a  technology  In  addition, 
Congress  is  pondering  reforming 
the  U.S.  patent  system. The  combi¬ 
nation  of  the  courts  and  Congress 
just  might  make  it  harder  for  a 
Microsoft  to  sell  with  intellectual- 
property  rights  FUD.  But  don’t  hold 
your  breath  waiting. 

Disclaimer:  I  did  not  check  to 
see  if  the  Harvard  Business 
School  has  a  class  in  marketing 
with  FUD  (I  do  not  want  to 
know).  So  the  above  is  my  own 
opinion. 

Bradner  is  a  consultant  with 
Harvard  University’s  University 
Information  Systems.  He  can  be 
reached  at  sob@sobco.com. 


Determina  protects  desktops 
from  variety  of  Web  threats 


BY  TIM  GREENE 

Determina,  which  makes  patch  alternatives  for 
servers,  is  extending  its  protection  to  workstations 
and  their  unique  threats. 

The  company  now  makes  Vulnerability  Protection 
System  (VPS)  Suite  for  Desktops,  which  the  vendor 
says  can  plug  known  vulnerabilities  in  applications 
until  corporate  IT  executives  can  schedule  a  time  to 
install  patches  from  software  makers.  It  also  protects 
against  worms,  drive-by  downloads,  in  which  mali¬ 
cious  code  is  contracted  by  visiting  infected  Web 
sites,  and  local  privilege  escalations  that  give  attack¬ 
ers  access  to  kernel-level  control. 

These  features  parallel  what  VPS’s  Memory  Firewall 
and  LiveShield  software  components  do  for  servers. 
Memory  Firewall  performs  program  shepherding.  It 
scans  traffic  and  finds  threatening  code  headed  for 
applications  —  buffer  overflows,  for  example  —  that 
are  designed  to  sap  machines’  memory  The  software 
blocks  code  it  determines  is  a  threat,  says  Andrew 
Jacquith,  a  senior  security  analyst  with  Yankee 
Group.  “It  checks  on  program  instructions  and 
addresses  of  where  things  are  supposed  to  go  before 
allowing  them  to  run,”  he  says. 

LiveShield  software  influences  code  running  in 
memory  on  the  machines  it  protects  and  works  with 
specific  applications  to  shield  their  known  vulnera¬ 
bilities  in  much  the  same  way  a  patch  would,  but 
without  the  patch  having  to  be  installed.  Shields  are 
based  on  patches  issued  by  software  vendors,  but 
they  can  be  put  into  use  immediately  without  taking 
down  the  affected  machines.  The  downside  of 


LiveShield  is  that  Determina  waits  for  vendors  to 
issue  patches  before  it  writes  shields.  In  the  case  of  a 
recently  exposed  Internet  Explorer  security  hole, 
however,  it  released  a  shield  before  Microsoft  issued 
a  patch.VPS  works  on  Windows  desktops  only 

“If  it  works  like  I  hope,  1  won’t  have  to  worry  about 
drive-by  downloads  and  keystroke  loggers  and  other 
nasty-ware,”  says  Nick  Fitzpatrick,  senior  network 
manager  for  San  Francisco  law  firm  Laughlin,  Falbo, 
Levy  &  Moresi,  which  uses  the  server  version  of  VPS. 
With  167  lawyers  working  onsite  or  remotely  on  lap¬ 
tops  that  connect  to  a  corporate  Citrix  server  farm, 
the  laptops  are  exposed  to  a  lot  of  Internet  threats,  he 
says,  that  may  pose  security  problems  but  also  can 
affect  people’s  ability  to  use  their  computers  effec¬ 
tively  “Our  help  desk  exists  to  serve  our  business,  but 
this  could  help  us  get  rid  of  some  annoyance  prob¬ 
lems  vs.  serious  problems,”  Fitzpatrick  says. 

The  desktop  version  of  the  suite  is  valuable, 
Jacquith  says,  because  it  addresses  problems  not 
faced  by  servers.“The  lives  of  servers  are  boring.They 
do  repetitive  tasks  with  a  small  set  of  programs. 
Servers  don’t  fire  up  a  Web  browser  and  go  shopping 
for  bargains.’VPS  Suite  for  Desktops  can  provide  pro¬ 
tection  that  supplements  what  anti-virus  and  anti¬ 
spyware  products  afford,  he  says. 

Determina’s  software  competes  in  some  ways 
against  software  from  Blue  Lane,  eEye  Digital 
Security,  Network  Associates  and  PivX. 

VPS  Suite  for  Desktops,  which  is  scheduled  to  be 
available  at  the  end  of  this  month,  costs  $50  per  seat. 
Separately  Memory  Firewall  costs  $35  per  seat.  ■ 


Berkeley 

continued  from  page  25 

Kouba  says.“It’s  hard  to  generate  real-looking  calls.  So  that’s  one  of  the 
things  that  we  focused  on  during  the  early-adopter  period.” 

Kouba  also  used  the  pilot  to  tune  the  integration  points  between  the 
Interactive  Intelligence  software  and  the  university’s  existing  systems. 
UC  Berkeley  didn’t  upgrade  its  telephony  systems  for  the  rollout,  but  it 
did  do  some  heavy  integration: The  Communite  software  is  tied  to  the 
university’s  Centrex  service,  Nortel  PBX  gear,  CommuniGate  Systems  e- 
mail,  iPlanet  Lightweight  Directory  Access  Protocol  directory  Kerberos 
security  system  and  campus  storage-area  network. 

After  the  pilot,  in  January  the  team  moved  the  remainder  of  the  uni¬ 
versity’s  10,000  faculty  and  administrative  staff  from  the  old  voice  mail 
system  to  the  Communite  platform. 

Because  not  every  user  needs  all  the  available  features,  the  commu¬ 
nications  group  offers  different  classes  of  service,  starting  with  basic 
voice  mail  and  traditional  telephoneonly  message  access.  Enhanced 
voice  mail  services  let  users  access  messages  via  the  Web,  and  unified 
messaging  services  add  the  option  to  retrieve  messages  via  e-mail.  Add¬ 
ons  include  call  screening, call  routing, and  incoming  and  outgoing  fax¬ 
ing  options. 

The  communications  group  makes  these  services  available  to  univer¬ 
sity  departments  on  a  chargeback  basis,  so  department  managers  can 
stretch  their  budgets  by  choosing  services  for  staff  judiciously 

This  fall,  UC  Berkeley  plans  to  offer  the  new  services  to  residence  hall 
students,  which  could  increase  its  implementation  to  50,000  users. 

In  the  past,  as  many  as  three  students  in  a  dorm  room  had  to  share  a 
single  phone  line.  With  Communite,  every  student  can  get  a  personal 
phone  number,  and  each  can  opt  to  route  calls  to  the  dorm-room 
phone,  a  cell  phone  or  any  other  phone.  “Somebody  can  always  call 
that  one  campus  phone  number  and  ultimately  reach  the  student,” 
Kouba  says. 

Attracting  student  users  is  important. Providing  dorm-room  telephone 
service  is  a  moneymaker  for  UC  Berkeley,  which,  like  many  universities, 
has  seen  its  revenue  drop  as  students  increasingly  favored  cell  phones 
over  dorm  lines.  By  offering  unified  messaging  options  such  as 
advanced  call-forwarding  features  and  Web-based  message  retrieval, 
the  university  hopes  to  regain  some  of  those  customers.® 


“BY  UTILIZING  SUNGARD  FOR  AN 


ADVANCED  RECOVERY  SOLUTION, 


I  WAS  ABLE  TO  GET  MY  COMPANY 


BACK  UP  IN  A  MAHER  OF  HOURS, 


NOT  DAYS.” 


Brian  Finley,  CTO 
PSS/World  Medical  Inc. 


When  it  comes  to  being 
prepared  for  unplanned  IT 
interruptions,  you  need  to 
know  your  systems  are  either  always 
available  or  can  be  quickly  recovered. 
That’s  where  SunGard's  Information 
Availability  solutions  can  help.  We 
deliver  the  secure  data,  systems, 
networks  and  support  you  require  to 
help  your  business  stay  in  business. 
Because  your  employees,  suppliers 
and  customers  rely  on  you  to  be 
available  every  minute  of  every  day, 
you  need  continuous  access  to 
information  no  matter  what  —  you 
need  Information  Availability. 

For  over  25  years,  businesses  have 
turned  to  SunGard  to  restore  their 
systems  when  something  went  wrong. 
So,  it’s  not  surprising  that  they  now 
turn  to  us  to  give  them  options  to 
make  sure  they  never  go  down  in  the 
first  place.  Plus,  SunGard  offers 
solutions  that  let  you  remain  in  control 
of  your  IT  environment  and  enjoy  the 
flexibility  required  to  adjust  to  the 
changing  needs  of  your  business. 


SunGard  has  a  wide  range  of  solutions  to  meet  your  enterprise-wide  requirements.  Here  are  just  a  few  of  those  solutions: 

Server  Replication  solutions  allow  you  to  minimize  data  loss  and  recovery  time  for  your  Microsoft®  Windows®-based 
applications.  If  your  server  is  unavailable,  for  whatever  reason,  you  can  have  a  fast  and  easy  recovery  of  replicated  servers 
located  at  a  SunGard  facility.  When  your  applications,  such  as  databases,  e-mail  and  file  servers,  need  to  be  recovered 
in  less  than  24  hours,  Server  Replication  gives  you  data  center  redundancy  without  the  high  cost  of  building  your  own 
secondary  facility. 

E-Mail  Availability  Service  helps  companies  ensure  that  their  electronic  communications  are  readily  available  across  the 
enterprise  despite  situations  that  impact  the  availability  of  servers,  software,  work  facilities  or  staff.  SunGard's  E-Mail 
Availability  Service  can  have  you  back  up  and  running  in  less  than  a  minute. 

Hosted  Exchange  Service  can  help  you  to  offload  the  complex  management  of  Microsoft®  Exchange®  servers,  licensing  and 
patch  management.  SunGard  customers  can  also  recognize  a  lower  total  cost  of  ownership'  for  their  e-mail  install  base. 


System  Recovery,  Mobile  Recovery,  Network  Recovery  and  End-User  Recovery  Services  help  you  get  back  up  quickly  when 
disaster  strikes. 


Your  job  is  to  keep  systems  and  applications  running.  Our  mission  is  to  keep 
people  and  information  connected.  Let’s  work  together.  To  learn  more,  contact  us 
at  1-300-468-7483  or  go  to  www.availability.sungard.com/masteria  and  get  your 
free  copy  of  the  book  “Mastering  Information  Availability.” 

*The  Radicati  Group.  Radical!  White  Paper  “Microsoft  Exchange  2003  Total  Cost  of  Ownership.' 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected 
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THE  INTERNET  VPNS  INTEREXCHANGES  AND  LOCAL  CARRIERS  m  WIRELESS  £  REGULATORY  AFFAIRS 


m  CARRIER  INFRASTRUCTURE 


EYE  ON  THE  CARRIER 
Johna  Till  Johnson 


Like  generals  who  always  seem  to  fight 
the  last  war,  federal  officials  are  busy  trying 
to  regulate  yesterday’s  networks.  Listen  to 
the  buzz  in  Washington  and  you’ll  come 
away  feeling  the  Internet  was  invented  in 
approximately  1995  and  has  stayed  static 
ever  since  —  and  corporate  networks 
haven’t  changed  much  over  the  past 
decade,  either. 

Wrong  on  both  counts.  Take  corporate 
networks:  In  1995,  the  vast  majority  were 
frame  relay  with  voice  neatly  segregated 
off  in  “voice  VPNs.”  VoIP  was  talked  about 
but  never  deployed.  MPLS  was  still  on  the 
drawing  board. And  only  a  handful  of  com¬ 
panies  were  rolling  out  services  such  as 
ATM  that  promised  to  integrate  voice  and 
data.  The  challenges  in  those  days  were 
things  such  as  cost  (voice  and  data  ser¬ 
vices  were  nearly  an  order  of  magnitude 
more  expensive  than  today),  coverage 
(few  carriers  could  handle  international 
sites),  and  service  monitoring  (providers 
didn’t  typically  offer  end-to-end  response 
time  metrics  or  service-level  agreements 
[SLA]  that  included  bounded  latency). 

Today,  the  majority  of  enterprises  have 
deployed  or  are  moving  toward  MPLS. 
Most  are  seizing  the  opportunity  to  deploy 
VoIP  And  the  big  challenges  are  capacity 
(most  enterprises  see  their  bandwidth 
requirements  doubling  and  even  tripling 
year-over-year),  resource  management 
(with  voice  and  critical  corporate  applica¬ 
tions  competing  for  the  same  network, 


nww.com 

Application  security  event 

As  security  moves  "up  the  stack,"  defenses  must 
reach  down  to  protect  the  core.  Integrating  VoIP 
and  wireless  into  the  security  grid.  Implementing 
automatic  patch  management.  Auditing  performance 
and  identifying  weaknesses  24/7.  What  are  the  best 
practices  and  technologies  to  create  a  fortress 
enterprise?  Attend  Application  &  Content  Security: 
Building  the  Defensible  Network  to  find  out  —  a 
new  Network  World  LIVE  Technology  Tour  event. 
www.rwd9crimler.Gani/3422 


Get  a  handle  on  next-gen  networks 


server  and  compute  resources,  effective 
resource  provisioning  and  management 
are  now  essential),  and  flexibility  (con¬ 
tracts  and  SLAs  need  to  reflect  ongoing 
rapid  technology  changes). 

What’s  next?  Look  for  presence-based  ser¬ 
vices  and  real-time  communications  dash¬ 
boards  that  combine  video-,  Web-  and 
audio-conferencing  at  the  user  interface; 
offer  unified  messaging  capabilities;  and 
enable  find-me-follow-me  services  that 
track  users  by  where  they  are  and  how 
they’d  like  to  be  reached. 

As  for  the  Internet,  current  regulatory 
models  assume  passive  users  getting 
spoon-fed  content  and  services  by  the 
“cloud  in  the  sk^’ Nothing  could  be  further 


from  the  truth,  as  highlighted  by  Web  2.0, 
service-oriented  architectures  and  grid/dis¬ 
tributed  computing.  The  Internet  of  the 
future  reverts  to  its  roots  as  a  network  link¬ 
ing  a  grid  of  active  hosts,  each  capable  of 
running  software  and  applications,  and 
relying  on  the  ’Net  as  an  exchange  network, 
not  a  distribution  network. 

That  has  profound  affects  on  businesses, 
too.  With  Web  2.0,  enterprises  are  engaging 
in  active  conversations  with  users,  or  pro¬ 
sumers  (producers/consumers).  This  can 
dramatically  affect  how  products  and  ser¬ 
vices  are  designed,  created  and  delivered. 

What  should  IT  executives  do?  First,  make 
sure  you’re  focusing  enough  time  and 
attention  on  your  corporate  networks.  Plan 


to  enable  effective  application  and 
resource  management,  ensure  enough 
capacity  (particularly  at  the  critical  local 
loop), and  strike  deals  that  give  you  the  flex¬ 
ibility  to  leverage  emerging  technology 
And  assess  the  possibilities  presented  by 
Web  2.0  for  modifying  interactions  with 
customers,  suppliers  and  partners. 

Second,  keep  an  eye  on  the  regulators. As 
noted  earlier,  flawed  metaphors  lead  to 
faulty  policy  —  and  faulty  policy  can  limit 
the  effectiveness  of  your  network. 

Johnson  is  president  and  senior  founding 
partner  at  Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm.  She  can  be 
reached  at  johna@nemertes.com. 


BT  addresses  security,  compliance 


More  single  sign-on  security 

I  DC  expects  higher  spending  on  federated  ID, 
or  single  sign-on  security  technologies. 


In  millions 

2005 

2006 

2007 

Advanced  authentication 

$526.3 

$544.4 

$577.6 

Web  single  sign-on 

$775.8 

$953.1 

$1,382.4 

Host  single  sign-on 

$180.3 

$226.2 

$273 

SOURCE:  IOC 


BY  DENISE  PAPPALARDO 

BT  Americas  is  working  on  two  new 
services  that  the  company  says  offer 
customers  an  enhanced  level  of  secu¬ 
rity  and  tools  that  make  regulatory 
compliance  around  the  world  a  little 
easier. 

BT  is  developing  a  federated  ID 
management  service  with  the  goal  of 
securely  supporting  single  sign-on  at 
the  application  level,  says  Robert 
Booker,  vice  president  of  security 
solutions.  BT  also  is  developing  a  ser¬ 
vice  that  helps  customers  keep  track 
of  regulatory  and  privacy  laws. 

“We’re  not  just  looking  at  application 
security  More  and  more  we’re  looking  at 
governance  and  compliance,”  Booker  says. 

Identity  federation,  the  sharing  of  user 
authentication  information  across  corpo¬ 
rate  boundaries,  lets  a  user  authenticated 
on  one  network  use  that  credential  to  gain 
access  to  resources  on  another  network. 
Federation  is  based  on  a  number  of  XML- 
based  standards,  including  the  Security 
Assertion  Markup  Language  and  a  protocol 
developed  by  Microsoft  and  IBM  called  WS- 
Federation. 

More  businesses  are  expected  to  adopt 
federated  identity  solutions  over  the  next 
three  years,  according  to  a  report  issued  by 
IDC.  Fueling  the  jump  are  maturing  stan¬ 
dards  and  products,  IDC  says.  Financial  ser¬ 
vices,  manufacturing  and  government  are 
vertical  markets  that  are  expected  to  be 
early  adopters  of  the  technology 


One  user  that  falls  in  the  government  cat¬ 
egory  has  been  testing  BT’s  federated  ID 
management  platform.  Guide,  a  European 
Union-funded  research  project,  is  working 
with  BT  to  develop  a  federated  ID  manage¬ 
ment  architecture  that  can  be  used 
throughout  the  10  European  Union  coun¬ 
tries,  says  Lia  Borthwick,  project  manager 
for  Guide. 

“Europe  is  moving  much  more  toward  a 
federal  Europe,”  she  says.  “We  need  to  sup¬ 
port  the  free  movement  of  people  who 
work,  live  and  play  in  other  EU  states  and 
the  free  movement  of  goods  and  services.” 
That’s  where  federated  ID  management 
comes  in,  she  says. 

If  a  citizen  of  the  United  Kingdom  is  trans¬ 
ferred  to  Germany  for  less  than  12  months, 
that  employee’s  Social  Security  pension 
rights  remain  in  the  United  Kingdom  and 
won’t  be  paid  by  the  German  government, 
Borthwick  says.  Guide  is  working  with  BT  to 


develop  a  system  that  would  allow  cit¬ 
izens  to  access  an  online  system  to 
support  these  types  of  transactions. 

BT  also  is  developing  a  service 
designed  to  make  it  easier  for  cus¬ 
tomers  to  track  and  comply  with 
state  and  federal  regulations. 
“Different  countries  have  different 
regulations  and  privacy  laws  that 
businesses  must  follow.  Some  coun¬ 
tries  are  more  mature  and  others 
less  regarding  things  like  what  level 
of  security  you  can  apply/  Booker 
says. 

BT  has  developed  an  application  that 
lets  companies  easily  see  which  policies 
it  must  comply  with  in  individual  coun¬ 
tries.  It  then  advises  them  on  how  to 
meet  those  rules. 

The  carrier  has  essentially  developed  a 
dashboard  application  that  notifies  a  user 
of  the  regulatory  and  risk  environment  in 
terms  of  regulations  that  apply  to  technol¬ 
ogy  Booker  says.  “Some  customers  that  are 
U.S.-based  tune  in  on  Sarbanes-Oxley  and 
[the  Health  Insurance  Portability  and 
Accountability  Act],  and  others  focus  on 
encryption  rules  for  some  countries  over¬ 
seas,”  he  says. 

BT  is  testing  the  dashboard  service 
with  two  customers  and  plans  to  launch 
the  unnamed  service  in  the  second 
quarter.  ■ 

Senior  Editor  John  Fontana  contributed  to 
this  story. 
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TECHNOLOGY  UPDATE 


AN  INSIDE  LOOK  AT  TECHNOLOGIES  AND  STANDARDS 


802.1 1w  fills  wireless  security  holes 


HOW  IT  WORKS:  802.11w 

802.1 1w  extends  wireless  security  standard  802.11  i  to  protect  management 
frames  from  eavesdropping  and  forgery.  In  this  example,  an  access  point  and 
clients  are  set  up  to  use  802.1 1w  management  frames  and  have  exchanged  all 


Q  The  access  point  sends  a  unicast  802.11k  measurement  request.  The  sensitive  results  of  this 
measurement  are  sent  back  by  the  client.  In  both  cases,  the  contents  of  the  messages  are  hidden 
from  the  attacker. 

B  The  attacker  tries  to  send  a  forged  measurement  request.  But  because  the  attacker  doesn't  know 
the  key,  it  can't  properly  encrypt  the  measurement  request,  and  the  client  drops  it  without  harm. 

H  The  access  point  uses  message  integrity  code  to  send  a  broadcast  frame  to  the  clients  to  adjust 
their  power.  The  clients  verify  the  message  with  the  integrity  key.  The  attacker  also  sees  the  message 
and  knows  the  contents  but  cannot  forge  a  new  message  from  it. 

Q  The  attacker  tries  to  broadcast  a  deauthentication  message.  The  clients  receive  the  message  and 
compare  their  one-time  keys  to  the  one  in  the  message.  Because  the  attacker  doesn't  know  the 
one-time  key  of  the  access  point,  the  keys  won't  match,  and  the  clients  safely  ignore  the  message. 


BY  JOE  EPSTEIN 

IEEE  802. Hi,  the  standard  behind  Wi-Fi 
Protected  Access  and  WPA  2,  patched  the 
holes  in  the  original  Wired  Equivalent 
Privacy  specification  by  introducing  new 
cryptographic  algorithms  to  protect  data 
traveling  across  a  wireless  network.  Now,  the 

802.1  lw  task  group  is  looking  at  extending 
the  protection  beyond  data  to  manage 
ment  frames,  which  perform  the  core  oper¬ 
ations  of  a  network. 

Traditionally  management  frames  did  not 
contain  sensitive  information  and  did  not 
need  protection.  But  with  new  fast  handoff, 
radio  resource  measurement,  discovery 
and  wireless  network  management 
schemes  (provided  in  the  upcoming 

802.1  lr,  802.11k  and  802.1  lv  drafts),  new 
and  highly  sensitive  information  about 
wireless  networks  is  being  exchanged  in 
these  non-secure  frames. 

802.1  lw  proposes  to  extend  802.1  li  to 
cover  these  important  frames.  IEEE  started 
work  on  this  proposal  early  in  2005,  and  an 
official  draft  is  expected  to  be  ratified  in  the 
first  half  of  2008.  802. llw  will  require 
changes  to  the  firmware  of  clients  and 
access  points.  It  should  not  require  hard¬ 
ware  changes,  however,  and  thus  might  be 
available  as  a  software-only  upgrade  to 
many  types  of  hardware. 

Three  types  of  protection 

802.1  lw  provides  protection  in  three  cat- 
egories.The  first  is  for  unicast  management 
frames, or  frames  between  one  access  point 
and  one  client.  By  reporting  network  topol¬ 
ogy  and  modifying  client  behavior,  unpro¬ 
tected  unicast  management  frames  pro¬ 
vide  a  powerful  arsenal  to  an  attacker,  who 


can  discover  the  layout  of  the  network,  pin¬ 
point  the  location  of  devices  and  mount  far 
more  successful  denial-of-service  (DoS) 
attacks  against  a  network. 

802.1  lw  tackles  this  problem  by  extend¬ 


ing  the  existing  notion  of  data  encryption 
algorithms  to  the  unicast  management 
frames,  using  the  existing  Temporal  Key 
Integrity  Protocol  or  Advanced 
Encryption  Standard-based  algorithms. 


This  protects  against  forgeries  and  pro¬ 
vides  confidentiality. 

The  second  method  is  for  generic  broad¬ 
cast  management  frames.These  frames  are 
less  common  and  typically  are  used  to 
adjust  radio  frequency  properties  or  start 
measurements,  rather  than  report  sensitive 
information.Thus, 802.1  lw  proposes  to  pro¬ 
tect  only  against  forgeries,  and  not  provide 
confidentiality  The  simplest  proposal  relies 
on  a  message  integrity  code,  which  is 
appended  to  the  non-secure  management 
frame.  An  access  point  shares  a  key  with 
every  securely  associated  client.  All  devices 
—  including  eavesdroppers  —  can  see  the 
message,  but  the  key  prevents  devices  out¬ 
side  the  network  from  forging  messages. 
However, authenticated  clients  can  still  pre¬ 
tend  to  be  the  access  point  in  this  scheme. 

The  third  method  is  for  deauthentica¬ 
tion  and  disassociation  frames.  By  using  a 
pair  of  related  one-time  keys,  one  secret  in 
an  access  point  and  one  for  a  client,  the 
client  can  determine  if  the  deauthentica¬ 
tion  is  valid.  This  method  can  present 
problems  for  users  who  deploy  or  are  con¬ 
sidering  intrusion-prevention  systems  in 
their  networks. 

Overall,  802.1  lw  promises  to  patch  secu¬ 
rity  problems  created  by  the  flow  of  new 
and  detailed  information  over  manage¬ 
ment  frames.  By  protecting  the  contents  of 
most  frames  from  eavesdropping,  and  of 
certain  crucial  frames  from  forging, 
802. llw  will  stop  the  information  leakage 
and  reduce  some  basic  DoS  attacks. 

Epstein  is  chief  architect  at  Mem 
Networks.  He  can  be  reached  at  jep 
stein  @merunetworks.  com. 


Ask  Dn  Internet  By  Steve  Blass 


I  want  to  convert  a  large  collection  of  MPEG-4 
video  files  to  hinted  QuickTime  movies.  Is 
there  software  that  can  automatically 
convert  the  files? 

Examples  and  instructions  for  using  Apple  Script  to 
manage  the  process  with  QuickTime  Pro  are  available  on 
Apple’s  developer  Web  site  (www.nwdocfinder.com/ 

2830).  (Hint  tracks  tell  a  server  how  to  package  media 
data  for  a  network.)  If  you're  familiar  with  Macintosh 
tools,  you  can  automate  the  task  with  Apple's  Automator 


or  by  creating  a  custom  folder  action.  The  Apple  Stream¬ 
ing  Server  User  mailing  list  (www.nwdocfinder.com/2831) 
is  a  good  place  to  find  information  about  converting  col¬ 
lections  of  video  files  to  hinted  QuickTime  movies. 

OS  X  Server  comes  with  two  command-line  utilities, 
qtmedia  and  qtref,  used  by  a  streaming  server  to  cre¬ 
ate  hinted  movies  and  QuickTime  reference  movies, 
respectively.  The  best  software  I've  found  is  qt_tools 
(www.nwdocfinder.com/2832).  It  is  a  collection  of  five 
command-line  utilities  written  in  Perl  that  work  with 
QuickTime  on  a  Macintosh  to  make  the  export  and 


hinting  capabilities  of  QuickTime  Pro  available  from 
the  command  line  without  requiring  a  QuickTime  Pro 
license.  Qt_export  is  used  to  perform  the  file  conver¬ 
sion;  qtjnfo  identifies  the  metadata  and  settings  used 
to  create  the  settings.  With  these  tools  you  can  build 
an  automated  workflow  to  convert  the  video  files  suit¬ 
able  for  streaming  with  the  streaming  server  and/or 
progressive  download  viewing  through  a  Web  server. 

Blass, a  network  architect  at  Change@Work  in  Houston, 
can  be  reached  at  dr.internet@changeatwork.com. 
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Tivoli.  Express 


_DAY  49:  Things  are  out  of  control.  Our  system’s  just 
not  secure,  flexible  or  reliable  enough.  Gil  bought 
some  “infrastructure  bloodhounds”  online.  He  says  they 
can  sniff  out  any  problem. 

_DAY  50:  Bloodhounds  aren’t  as  good  at  sniffing  out 
network  problems  as  they  are  at  chewing  Ethernet  cables. 

_DAY  52:  I’ve  got  it:  IBM  Tivoli  Express  middleware. 

It’s  a  series  of  I.T.  management  solutions  designed 
and  priced  for  mid-sized  businesses  like  us.  It’s  secure, 
boosts  uptime,  and  protects  our  data  with  automated 
backups.  Our  IBM  Business  Partner  even  customized  and 
implemented  it  for  us. 

.Remind  Gil:  dog  hair  and  computers,  very  bad  combo. 


Get  the  Guide  to  simple,  fast,  secure  I.T.  Management  at: 

IBM.COM/TAKEBACKCONTROL/SIMPLE 
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Video  fun  with  avatars  and  Skype 


A  couple  of  weeks  ago  we  stum¬ 
bled  across  a  very  odd  video  called 
“Breakup”  (www.nwdocfinder.com/ 
2834)  on  YouTube.  The  video  stars  a 
young  lady  named  Melody  who  is 
just  talking. 

If  you  know  Melody  we’re  sure  her 
video  that  discusses  her  breakup 
with  her  boyfriend  is  moving  and 
poignant.  For  the  rest  of  us  Melody 
notes  that  “My  videos  may  bore  you,” 
and  she’s  right,  except  for  one  thing: 
When  the  video  opens  she’s  wearing 
heavy-framed  glasses  that  she  removes  by  waving  her  hand 
in  front  of  her  face,  whereupon  the  glasses  disappear.  The 
glasses  reappear  and  are  then  replaced  with  a  gas  mask 
and  then  a  diving  mask. 

As  the  accessories  move  with  Melody’s  face  (the  cat’s 
muzzle  was  impressive),  we  thought  this  was  a  pretty 
neat  trick,  so  we  had  to  find  out  what  she  was  using. 
Melody’s  profile  listed  her  camera  —  a  Logitech 
Quickcam  Orbit  MP  (www.nwdocfinder.com/2835)  — 
thereby  saving  us  from  doing  any  really  investigative 
journalism. 

After  that  it  was  a  mere  step  over  to  Logitech’s  PR  folks, 
and  posthaste  there  was  a  Logitech  QuickCam  Fusion 
Webcam  and  software  waiting  for  us. 

The  QuickCam  Fusion  Webcam  is  a  1 ,3-megapixel  USB 
camera  with  a  built-in  microphone  and  a  button  to  take 


snapshots.  The  camera  provides  fairly  good  video  —  it  dis¬ 
plays  visual  noise  at  medium  light  levels  and  its  frame  rate 
appears  to  be  around  20  frames  per  second  —  but  for 
about  $100,  it’s  a  pretty  good  value. 

The  effects  product  —  which  is  free  —  is  called  Logitech 
Video  Effects.  It  was  launched  last  August  and  is  based  on 
Logitech’s  face-tracking  software,  which  enables  cameras  to 
identify  follow  and  focus  on  human  faces. When  a  face  that 

Video  Effects  goes  further  by 
allowing  you  to  replace  yourself 
with  an  avatar. 

has  been  found  moves  within  the  camera’s  field  of  view  the 
camera  attempts  to  keep  the  face  in  the  center  of  the  frame 
as  much  as  possible. 

This  is  really  cool,  but  Video  Effects  goes  further  by 
allowing  you  to  replace  yourself  with  an  avatar. The  soft¬ 
ware  tracks  facial  expressions  using  as  many  as  22 
points  on  a  user’s  face.  This  allows  an  avatar  to  be  dis¬ 
played  that  copies  the  user’s  facial  movements  and 
expressions.  The  face-tracking  system  also  allows  Video 
Effects  to  position  accessories,  such  as  eyeglasses,  over 
a  user’s  eyes. 

You  can  select  only  one  accessory  or  avatar  at  a  time  (a 
shame  because  we  were  ready  for  some  serious  Mr.  Potato 
Head-type  games).  Accessories  include  those  we  already 
mentioned  as  well  as  heavy  eyebrows  (alas,  no  uni-brow), 


a  curly  moustache,  Groucho  Marx-style  glasses  and  mous¬ 
tache,  a  crown  and  so  on. 

For  avatars  you  can  choose  from  an  alien,  a  gingerbread 
person, a  dinosaur,  a  shark  (which  is  very  cool), a  car, a  stick 
figure  (which  is  also  pretty  cool),aTiki  face  or  a  number  of 
generic  human  faces  (that  are  not  at  all  cool). 

The  face  tracking  works  well  as  long  as  the  lighting  is  just 
right. Accessories  seemed  to  be  less  fussy  about  facial  light¬ 
ing,  but  that’s  probably  because  they  don’t  need  the  detail 
required  to  track  expressions.  Until  we  more  or  less  com¬ 
pletely  rearranged  the  lighting  we  couldn’t  get  the  avatars 
to  work  at  all. 

We  also  tried  using  the  QuickCam  Fusion  Webcam  with 
the  latest  release  of  Skype  (www.skype.com),  which  now 
supports  video,  and  found  it  works  well.  We  called  Mr.  Cool 
Tools  (aka  Keith  Shaw),  who  also  has  a  Quickcam  Fusion, 
and  tried  adding  accessories  and  running  avatars.  These 
worked  but  appeared  to  suck  up  processor  cycles,  making 
the  video  occasionally  jerky 

We  also  tried  Logitech’s  videoconferencing  software, 
Logitech  Videocall,  which  costs  $6.95  per  month.  We 
decided  the  Videocall  software  was  inferior  to  Skype. 

All  in  all,  the  QuickCam  Fusion  Webcam  with  Skype  is  a 
good,  low-cost  videoconferencing  solution  and,  as  you  can 
present  yourself  as  a  shark  or  a  gingerbread  man,  pretty 
good  fun  as  well. 

Call  us  at  gearhead@gibbs.com  ( anytime )  or  say  hello  at 
Gibbsblog. 


GEARHEAD 
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DataDots  come  in  a  pre-mixed 
tube  and  include  an  applicator, 
so  you  can  safeguard  your  stuff. 


The  scoop:  DataDot  Personal  DNA  Kit, about  $20,  from  DataDot  USA 
What  it  is:  This  theft-protection  system  consists  of  polyester 
substrate  microdots  (each  about  the  size  of  a  grain 
of  sand)  onto  which  unique  identification  infor¬ 
mation  is  etched  by  a  laser  (basically  a  PIN). The 
dots  come  in  a  UV-based  adhesive,  and  users  can 
apply  the  dots  onto  anything  they  want  to  protect, 
such  as  laptops,  cell  phones  and  PDAs.  After  apply¬ 
ing  the  dots,  a  user  registers  the  PIN  with  the 
DataDot  Web  site.  If  the  equipment  is  stolen  and 
recovered,  police  can  identify  the  owner  based  on 
the  PIN  on  the  DataDot. 

Why  it’s  cool:  The  kit  comes 
with  hundreds  of  dots,  so 
safeguarding  an  entire 
collection  of  assets  is 
relatively  quick  and 
inexpensive  (since 
you’re  only  register¬ 
ing  one  PIN  instead 


of  multiple  pins).  Because  the  DataDots  are  so  tiny 
they  won’t  be  as  detectable  as  stickers  or  other 
identification  systems. 

Some  caveats:  In  my  tests,  I  put  too  much 
glue  on  the  equipment  1  wanted  to  identify. The 
dried  glue  showed  up  easily,  so  the  dot  wasn’t 
well  hidden.  In  addition,  the  darker  dots 


showed  up  on  my  lighter  equipment;  I  should  have 
placed  them  in  darker  areas.  Because 
the  glue  that  the  dots  come  in  dries 
quickly,  you  get  only  one  chance  to 
apply  them,  so  if  you’re  too  slow, 
you  will  have  to  get  another  kit. 

Video  fun:  Head  to  www.network 
world.com/video  to  watch 
experiment  with  DataDots. 

Grade:  icirkri  (out  of  five) 
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The  Memorex 
FlashDisc  may 
revive  the  idea 
of  disposable 
storage. 


•.34S6789-0Nh. 
4WV.0fiTflD0TH0HE.CL 
d9-DNAl 23456789-0NA12i 
..COM- WWW.DftTfiDOTHOME.COi 
DNA123456789-DNA123456789- 
JM- WWW .DAT ADO THOME .COM- WWW 
T9-0N  A 123456  789- ON  A 123456  7! 
:ON-WWW.DflTflDOTHOME . C0M-WI 
789-ONftl 23456 789-DNA 123* 
C0M-WWW.DATAD0TH0ME.C' 
23456789-0NA12345f 
*>TA00TH0ME.<*'- 

A  magnified  view  of  a  DataDot 
which  is  about  the  size  of  a  grain 
of  sand,  with  a  sample  PIN. 


The  scoop:  FlashDisc  3-pack,  about  $20,  from  Memorex 

What  it  is:  FlashDiscs  are  USB  memory  devices  that  hold  16MB 
of  data  each.  The  devices  pull  apart  at  the  middle  to  reveal  the  USB  port,  and 
they  are  color-coded  for  labeling  purposes. 

Why  it’s  cool:  Yes,  that’s  not  a  typo  —  each  FlashDisc  holds  only  16MB  of  data. 
So  why  is  that  cool?  Longtime  readers  know  I’m  always  in  favor  of  more  storage, 
so  I  was  skeptical  when  Memorex  announced  the  lower-capacity  FlashDiscs.  But 
then  I  realized  that  as  capacities  (and  prices)  of  USB  flash  storage  keep  going 
higher,  people  are  less  willing  to  give  them  away.  FlashDiscs  were  designed  to  be 
shared,  creating  an  almost  disposable  storage  system.  In  effect,  Memorex  is  trying 
to  revive  the  idea  of  a  “floppy  disk”  that  people  can  share. True  story:  A  colleague 
got  into  an  argument  with  a  PR  person  who  had  some  material  on  a  USB  flash 
drive  but  didn’t  want  to  give  up  the  device  to  my  colleague. The  PR  representative 
said  she  could  download  the  materials  onto  my  colleague’s  PC,  but  he  would  not 
give  her  access  to  his  system.  With  a  FlashDisc,  she  could  have  handed  over  the 
materials  without  being  concerned  about  the  expense.  Memorex  says  it  will  be 
coming  out  with  32MB  FlashDiscs  soon. 

Grade:  ★★★★ 

Shaw  can  be  reached  at  kshaw@nww.com. 
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There's  no  better  way  to  build  your  IT  IQ  than  by  attending  Interop  Las  Vegas.  In  fact,  it's  a  complete 
no-brainer.  With  over  200  sessions  and  400+  exhibitors,  you'll  master  key  technologies,  see  the  full  range  of  IT 
solutions  and  gain  invaluable  insight  from  industry  leaders. 

Register  today  and  save  up  to  $100.  Use  the  Priority  Code  above  to  trigger  your  discount. 
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Register  Today  and 
Save  up  to  $  1 00 

Enter  priority  code 
MLGANN34  at 
www.interop.com/smart 


Las  Vegas  April  30-May  5,  2006 


www.interop.com 
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enters  the  mainstream 


By  Alan  R  a  d  d  i  n  g 


Every  new  technology  goes  through  an  early  shakeout  stage  before  it  crosses  the  chasm,  where  it  is  adopted  by  main¬ 
stream  organizations.  It’s  safe  to  say  that  service-oriented  architectures  (SOA)  and  the  services-based  approach  to 
information  systems  have  crossed  the  chasm  and  are  ready  for  prime  time. 


According  to  a  recent  survey  by  Research 
Concepts  LLC  of  Berlin,  MA,  SOA  has 
already  been  deployed  at  more  than  50%  of 
their  organizations.Thirty-three  percent 
have  implemented  at  least  one  project,  and 
another  20%  are  in  the  process  of  imple¬ 
menting  their  first,  while  30%  are  planning 
an  SOA  implementation.  Only  a  small  minor¬ 
ity,  16%,  have  no  SOA  in  their  plans.That 
puts  SOA  squarely  in  the  IT  mainstream. 

Companies  are  turning  to  SOA,  according 
to  the  survey,  for  the  numerous  benefits  it 
delivers  for  both  IT  and  the  business  itself, 
starting  with  greater  business  process  flexi¬ 
bility.  Other  benefits  include  greater  adapt¬ 
ability  of  applications,  shorter  time  to  deploy 
new  applications,  and  increased  reuse  of 
application  components.  Reuse  has  the 
potential  to  deliver  substantial  hard-dollar 
savings  over  time,  while  faster  application 
deployment  enables  the  organization  to 
quickly  seize  opportunities.  More  than  half 
the  respondents  (58%)  cited  increased 
customer  satisfaction  as  a  primary  driver 
of  SOA. 

NEW  HORIZONS 

FirstMerit  Corp,  a  financial  service  firm 
based  in  Akron,  OH,  initially  turned  to  SOA 
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to  revamp  its  Internet  banking  channel. The 
services  approach  allowed  it  to  quickly  make 
its  hard-to-use  mainframe  functionality 
accessible  to  customers  through  the 
Internet  and  the  Web,  explains  Larry  Shoff, 
executive  vice  president  and  CTO. The  ease 
with  which  the  company  could  do  that,  how¬ 
ever,  opened  up  an  entirely  new  opportunity 
for  the  company:  small-business  Internet 
banking. “We  could  take  what  we  had  done 
for  Internet  banking  and  quickly  turn  it  into 
a  new  banking  product  for  small  business,” 
says  Shoff. That  is  the  power  of  the  SOA 
approach. 

Although  SOA  certainly  has  crossed  the 
chasm,  there  is  still  work  to  be  done  before 
the  technology  settles  into  a  steady-state 
maturity.  For  example,  survey  respondents 
were  divided  on  what  constituted  the  best 
strategy  for  deploying  SOA.  Although  26% 
opted  to  mix  and  match  SOA  products  from 
multiple  vendors — the  best-of-breed 
approach — almost  an  equal  amount  (23%) 
are  turning  to  a  single  provider  for  an  inte¬ 
grated  solution.  Even  more  (29%)  use  a 
combination  of  approaches. 

FirstMerit,  for  example,  relied  primarily  on 
a  single  vendor,  DataDirect,  which  provided 
the  tools  and  middleware  to  turn  mainframe 
applications,  primarily  CICS  functions,  into 
Web  services  that  could  be  assembled  into 
Microsoft  .NET  applications  by  the  compa¬ 
ny’s  developers.The  results  were  standards- 
based  Web  services  using  WSDL  and  SOAP. 

Despite  the  success  of  many  companies 
with  SOA,  some  challenges  remain.The 
biggest  of  these  is  security,  cited  by  66%  of 
survey  respondents.  Other  challenges  cited 
by  respondents  included  performance  (59%), 
compliance  and  governance  (58%),  and 
enforcement  of  business  rules  (53%). 

Standards  are  critical  to  the  success  of 
SOA.  SOA  works  because  it  provides  a  stan¬ 
dardized  way  to  access  functionality  and 
exchange  data  that  otherwise  reside  within 
incompatible  systems. 


Implementation  Strategy 

Users  choosing  multiple  paths  to 
SOA  solutions 


We  are  using  the  best  solutions 
from  several  providers 

We  are  using  integrated  solutions 
from  only  one  provider 

We  are  using  a  systems  integrator 
to  handle  implementation 

Some  combination  of  the 
above  approaches 

Other 

Not  sure 
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Although  key  SOA  standards,  such  as 
SOAP, WSDL,  XML,  and  UDDI,  are  in  place, 
more  are  needed.The  vast  majority  of  sur¬ 
vey  respondents  (93%)  felt  that  the  industry 
needs  to  speed  up  the  development  of  stan¬ 
dards.  Not  surprisingly,  then,  where  SOA 
projects  failed  to  meet  expectations,  just 
over  half  the  respondents  (5 1  %)  attributed 
the  problem  to  insufficient  standards. 

The  best  practices  for  SOA  success, 
according  to  industry  analysts,  are  straight¬ 
forward. They  include  the  need  to  define  the 
business  value  at  the  outset,  identify  enter¬ 
prise-wide  reusable  services,  focus  on  the 
architecture,  and  plan  for  security  and  gov¬ 
ernance  from  the  start. 

Even  though  more  needs  to  be  done, 

SOA  clearly  is  ready  for  enterprise  prime 
time,  according  to  the  survey  respondents. 

Already  large,  leading  financial  services  firms 
have  deployed  SOA  applications  that  secure¬ 
ly  handle  a  million  or  more  transactions  a 
day  with  the  kind  of  performance  and  relia¬ 
bility  customers  expect.  Pretty  soon  every¬ 
one  will  be  doing  that. 
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SOA  Vendor  Solutions  for  Your  IT  Challenges 


COMPANY:  Layer /Technologies 

DETAILS:  Service  Oriented  Architectures  (SOA) 
provide  a  framework  for  integrating  applications  and 
business  processes  in  a  flexible  and  cost-effective  fashion 
for  large  enterprises. 

CHALLENGE:  Most  SOA  implementations  are  based 
on  XML  and  Web  services,  which  presents  architects  and 
operations  staff  with  several  major  challenges: 

•  Meeting  Performance:  Processing  XML  messages  at 
gigabit  rates  without  creating  network  bottlenecks. 
XML  processing  is  often  very  complex  and  can  signifi¬ 
cantly  tax  most  servers. 

•  Ensuring  Scalability:  Scaling  XML  processing  to  meet 
future  needs.  SOA  growth  is  explosive  and  solutions 
need  to  grow  to  meet  required  load. 

•  Deployment  Flexibility:  Various  combinations  of  edge 
based,  data  center  and  ESB  deployments  are  typically 
present  in  most  enterprises.  Addressing  their  specific 
processing  requirements  is  critical  to  rolling  out  SOA 
implementations. 

SOLUTION:  Layer  7's  SecureSpan  Gateway  provides 
a  single  solution  for  high-performance  XML  processing. 

A  dedicated  appliance  incorporating  XML  co-processing 
hardware,  the  SecureSpan  Gateway  is  designed  to 
address  these  challenges: 

•  Meeting  Performance:  A  single  SecureSpan  Gate¬ 
way  can  process  over  300  million  messages  per  day. 
SecureSpan  uses  64-bit  technology  and  dedicated 
hardware-based  XML  processing  to  ensure  high 
message  throughput. 

•  Ensuring  Scalability:  Only  Layer  7  offers  linearly 
scalable,  high  availability  clusters,  controlled  from 

a  single  management  point.  SecureSpan  Gateways 
can  be  incrementally  added  to  clusters,  scaling  to 
meet  future  needs. 

•  Deployment  Flexibility:  SecureSpan  offers  a  com¬ 
prehensive  range  of  accelerated  XML  parsing, 
transforms,  and  threat  detection  capabilities.  This 
broad  support  enables  a  single  product  to  address 
the  unique  requirements  of  edge,  data  center  and 
ESB  environments. 

To  learn  more,  download  the  SecureSpan  XML  Gateway 
whitepaper  at  www.layer7tech.com/XMLGateway. 

Email  address:  info@layer7tech.com 


COMPANY:  Layer  /Technologies 

DETAILS:  Service  Oriented  Architectures  (SOA) 
provide  enterprises  with  a  framework  for  integrating 
applications  and  business  processes  in  a  flexible  and 
cost-effective  fashion.  But  with  this  flexibility  comes 
concerns  about  securing  information  flows  and  ensuring 
that  proper  controls  are  in  place. 

CHALLENGE:  The  use  of  XML  /  Web  services  technol¬ 
ogy  in  SOA  deployments  presents  architects  and  security 
managers  with  several  challenges: 

•  Meeting  Performance:  Implementing  XML  threat 
protection,  access  control,  and  integrity  at  gigabit 
rates  without  creating  network  bottlenecks.  XML 
processing  is  very  complex  and  can  tax  most  servers. 

•  Ensuring  Scalability:  Scaling  security  solutions  to  meet 
future  throughput  requirements.  SOA  growth  is  explo¬ 
sive  and  solutions  need  to  scale  to  meet  future  load. 

•  Policy  Flexibility:  Making  it  easy  to  customize  security 
rules  to  specific  security  standards,  client  deploy¬ 
ments  and  services  without  coding  or  testing. 

SOLUTION:  Acting  as  an  XML  firewall,  Layer  7's 
SecureSpan  Gateway  protects  applications  by  applying 
message  level  security  policies  and  gives  customers  the 
ability  to  meet  these  challenges  head-on: 

•  Meeting  Performance:  A  single  SecureSpan  Gateway 
can  process  over  300  million  messages  per  day. 
SecureSpan  uses  64-bit  technology  and  hardware- 
based  XML  processing  to  ensure  high  throughput. 

•  Ensuring  Scalability:  SecureSpan's  architecture  scales 
linearly  and  is  controlled  from  a  single  management 
point.  Gateways  can  be  deployed  as  high-availability 
clusters,  scaling  to  meet  future  needs. 

•  Policy  Flexibility:  SecureSpan  is  the  only  XML  Firewall 
built  around  the  WS-Policy  standard,  supporting 
customization  around  identity,  threats,  integrity 
and  SLAs.  Virtually  any  security  requirements  can 

be  enforced  using  Layer  7's  intuitive  policy  editor. 

To  learn  more,  download  the  SecureSpan  XML  Gateway 
whitepaper  at  www.layer7tech.com/XMLGateway. 

Email  address:  info@layer7tech.com 


COMPANY:  Reactivity,  Inc. 

DETAILS:  Reactivity  XML  Security  Gateway,  leading 
best-of-breed  XML  enabled  networking  solution  for 
secure,  reliable,  and  interoperable  XML  messaging. 

CHALLENGE:  Rapidly  deliver  an  XML-enabled 
network  for  real-time  repair  status  and  repair  initiation 
service  both  through  the  existing  customer  portal  and 
directly  with  customers' systems.  Initial  project  drivers 
included  customer  demand  for  direct  system  to  system 
access  to  SAP  and  mainframe-based  services  for  repair 
scheduling,  status  and  inventory  availability  in  real-time, 
24/7.  To  complicate  matters,  Rockwell  Collins' security 
policies  prohibit  HTTP  traffic  through  the  internal  firewall. 
Addressing  scalable  security  was  an  absolute  necessity. 

SOLUTION:  Rockwell  Collins  required  an  XML  gate¬ 
way  in  the  DMZ  that  would  receive  all  traffic  and  only 
route  secure  messages  to  their  back-end  systems.  In 
addition,  Rockwell  Collins  planned  additional  XML  gate¬ 
ways  internally  so  that  internal  XML  messages  did  not 
need  to  enter  the  DMZ.  Rockwell  Collins  required  the 
new  devices  to  enable  compliance  with  SLA  require¬ 
ments.  Finally,  the  new  devices  had  to  be  rapidly  deploy¬ 
able  and  deliver  robust  control  over  application  security 
policy  and  XML  message  processing. 

Rockwell  Collins  selected  the  Reactivity  XML  Security 
Gateways  to  power  their  service  oriented  architecture 
and  connect  with  their  customers.  Reactivity  met  the 
technical  requirements  and  also  the  project's  aggressive 
time  frame.  Rockwell  Collins  was  also  impressed  with 
the  Reactivity  Gateways'scalability,  viability  and  policy 
workflow  feature. 

Within  six  weeks  the  Reactivity  Gateway  infrastructure 
was  installed,  the  pre-existing  services  were  deployed, 
tested,  and  exposed  as  secure  production  services. 

Using  the  Reactivity  Gateways,  Rockwell  Collins  creates 
secure  SSL  connections  between  the  portal  and  back¬ 
end  servers;  authenticates  and  authorizes  back-end 
system  access;  and  accelerates  XML  processing  by 
offloading  XML  validation  and  transformation.  This 
was  accomplished  with  no  changes  to  their  back-end 
servers.  As  a  result  of  this  new  architecture,  Rockwell 
Collins  identified  an  opportunity  to  eliminate  the  devel¬ 
opment  of  duplicate  capabilities  that  resulted  in  saving 
the  company  approximately  $70,000  in  development 
costs  in  the  first  two  months  following  deployment. 

Over  the  course  of  the  next  year,  Rockwell  will  build 
another  eight  services  for  real-time  customer  service. 
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Are  we  losing  our 
tech  advantage? 

A  recent  report  from  the  Economic  Strategy  Institute  in 
Washington,  D.C.,  titled  “America’s  Technology  Future  at 
Risk,”  argues  that  the  writing  is  on  the  wall. 

The  telecommunications  industry  has  been  responsible  for 
many  core  technology  developments,  including  the  tele¬ 
graph,  telephone,  transistor  and  semiconductor,  the  report 
says,  but  key  indicators  signal  we  are  in  danger  of  losing  the 
ability  to  come  up  with  the  next  big  thing. 

Sign  one,  it  says,  is  a  trade  deficit  in  high-tech  products  and 
services.  In  1997  the  United  States  had  a  trade  surplus  in  tele¬ 
com  equipment  of  $5  billion,  which  had  slumped  into  a 
deficit  of  $26  billion  by  2004  “as  production  shifted  rapidly  to 
Asia."That’s  a  bit  alarmist  because  shifting  manufacturing  off¬ 
shore  doesn’t  affect  top-line  sales  for  U.S.  businesses,  it  just 
improves  profitability  But  it  does  cost  domestic  jobs. 

The  second  indicator  is  broadband  deployment. The  report 
says  the  United  States  led  in  broadband  as  recently  as  2000, 
but  we  have  since  fallen  to  16th,  with  only  1 1  out  of  100 
inhabitants  subscribing  to  broadband  services.  South  Korea 
leads  the  list,  with  25  out  of  100. 

This  argument  isn’t  very  compelling  since  no  country  has 
reached  a  broadband  critical  mass.The  risk,  of  course,  is  that 
commerce  won’t  emerge  to  capitalize  on  the  infrastructure 
until  the  infrastructure  is  there.The  United  States  is  gambling 
on  the  market,  hobbled  as  it  is  by  regulation, to  perform  that 
balancing  act,  whereas  other  countries  are  trying  to  get  a 
jump  by  actively  encouraging  broadband  deployment. 

The  same  thing  is  happening  with  3G  cell  networks,  the 
report  argues.  Here  again,  we’ve  let  the  market  decide. 

The  final  indicator  of  our  impending  doom  is  trends  in 
R&D  spending. The  report  mistakenly  views  the  R&D 
boom/bust  cycle  around  the  dot-com  bubble  as  being  histor¬ 
ically  relevant,  but  it  does  make  a  troubling  point  about  total 
R&D  spending  as  a  percentage  of  GDP 
“While  the  U.S.  spends  far  more  on  R&D  than  any  other 
country  in  absolute  dollar  amounts,  its  spending  as  a  per¬ 
centage  of  GDP  is  only  2.7%,  well  below  the  3%  level  at 
which  it  stood  in  1960.  It  is  also  below  the  current  3%  to  4% 
spent  by  Japan,  Korea,  Sweden,  Finland  and  Singapore.” 

While  the  report  has  something  of  a  Chicken  Little  feel  to  it, 
we  side  with  the  institute’s  recommended  actions  as  being 
sensible  next  steps  in  the  evolution  of  the  industry:  “Relieve 
disproportionate  regulatory  burdens”  on  telco  and  cable  TV 
operations  and  forget  about  “manufacturing  competition.” 
And  rethink  the  FCC’s  role  “to  be  more  that  of  a  develop¬ 
mental  agency”  focused  on  maximizing  “deployment  of 
broadband  access  and  the  adoption  of  other  advanced  com¬ 
munications  technology’ 

If  it  takes  a  little  chicken  to  get  us  there, so  be  it. 


—  John  Dix 
Editor  in  chief 
jdix@nww.com 


nimons 

mum  hhbbhbi  warn 


Apple  coverage  needs  polishing 

I  am  a  little  disappointed  in  your  coverage  of  Apple 
over  the  years.  I  look  to  Network  World  for  news, 
views  and  expert  analysis  that  I  can  trust.  But  it 
seems  as  though  the  Apple  system  (which  is  not  sub¬ 
ject  to  real  viruses  or  exploits,  is  more  robust  than 
Windows  and  is  easier  to  use)  warrants  your  atten¬ 
tion  only  when  news  —  usually  exaggerated  or  inac¬ 
curate  —  of  a  “threat”  like  the  OSXJnqtana.A  worm 
(see  www.nwdocfinder.com/2821)  is  circulating. 

As  more  and  more  organizations  turn  to  Apple  sys¬ 
tems  to  cut  technical  support  costs  and  because 
their  workers  are  sick  of  Windows  with  its  viruses, 
crashes,  freezes,  pop-ups  and  frequent  security 
patches,  it  behooves  you  to  give  Apple  its  due  and 
cover  the  positive. 

Mark  Sealey 
Valencia,  Calif. 

Net  neutrality 

In  Johna  Till  Johnson’s  column  (www.nwdocfinder. 
com/2822):  I  agree  in  principle  with  the  notion  that 
ISPs  should  be  able  to  charge  more  to  carry  appli¬ 
cations  that  stress  the  network  (more  packets  per 
second,  higher  prioritization,  more  stringent  QoS). 
But  given  the  strong,  not-so-hidden  agenda  of  the 
ISPs  — -  to  preclude  others  from  providing  applica¬ 
tions  the  ISPs  themselves  want  to  provide  for  the  rev¬ 
enues  they  produce  —  who  will  police  the  charges 
imposed  for  stressing  the  network?  Is  there  even  a 
good  model  of  what  extra  packets  per  second  or  pri¬ 
oritization  cost  an  ISP?  In  a  deregulatory  environ¬ 
ment,  who  will  audit  claims  about  the  cost  of  the 
extra  stress?  What  compliance  monitoring  will  be 
done,  and  what  will  be  the  punishment  for  unrea¬ 
sonable  charges?  If  your  answer  to  all  this  is  that  the 
marketplace  will  reward  those  companies  that  price 


stress  correctly  then  we  didn’t  need  to  worry  about 
net  neutrality  in  the  first  place,  because  the  market¬ 
place  would  reward  the  competitor  that  provided 
open  access.  My  concern  is  we  are  coming  face  to 
face  with  the  consequences  of  having  lost  the  con¬ 
cept  of  common  carriage.  We  may  yet  pay  a  big  price 
for  distorting  the  Internet  model  by  having  rewarded 
the  telcos’  intransigence  in  providing  open  access  to 
their  networks  and  uncritically  accepting  their 
superficial  arguments  about  disincentives  to  invest 
when  such  open  access  is  required. 

Robert  Mercer 
President 

BroadView  Telecommunications 

Boulder,  Colo. 

In  her  column  “Both  sides  have  a  point  in  net  neu¬ 
trality”,  Johnson  writes:  “Certain  types  of  traffic  — 
voice,  video  and  some  interactive  applications  —  do 
stress  the  network  more  than  others,  and  this  impact 
is  particularly  severe  at  last-mile  broadband  links, 
where  congestion  is  most  likely’  Therefore,  the  con¬ 
trol  should  be  with  the  last-mile  “end  user?  Let  the 
LAN  owner  (business)  control  its  own  quality  of  ser¬ 
vice.  Also,  in  this  virtual  world  of  packets,  costs  are  on 
a  downward  trend  —  so  putting  money  into  expand¬ 
ing  capacity  is  better  than  spending  money  to  re¬ 
strict  supply.  For  an  example,  look  at  long-distance 
phone  charges. With  competition,  the  price  to  moni¬ 
tor,  compute  distance  and  time,  then  custom-bill  has 
been  replaced  by  fixed  monthly  fees. Why?  Because 
it  is  cheaper  and  simpler. 

Brandon  Fouts 
Senior  systems  engineer 
Puget  Sound  Regional  Council 
Seattle 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 1 8  Turnpike  Hoad,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 
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USER  VIEW 
Chuck  Yoke 


INDUSTRY  COMMENTARY 
Frank  Dzubeck 


Learning  to  live  with  spam 


Growing  up  in  a  lower-income  family  in  the 
1960s  meant  that  meals  often  consisted  of 
items  that  helped  to  stretch  the  budget  — 
stewed  tomatoes,  dandelion  greens,  potatoes, 
beans,  gravies,  breads  and  large  quantities  of 
Spam.  A  key  protein  component  of  my  family’s 
food  pyramid,  Spam  v/as  often  a  staple  at  break¬ 
fast,  lunch  and  dinner.  I’m  not  embarrassed  to  say 
that  at  one  point  in  my  life  I  liked  Spam. 

Today  people  are  encountering  spam  of  a  dif¬ 
ferent  variety  While  e-mail  spam  may  not  be  lik¬ 
able,  it  plays  a  large  role  in  our  lives  and  is  some¬ 
thing  we  will  have  to  deal  with  for  the  foresee¬ 
able  future. 

E-mail  spam  is  increasing  by  the  day  While  pub¬ 
lic  and  private  e-mail  providers  try  to  block  spam 
through  various  filters  and  devices,  these  tech¬ 
niques  are  not  perfect.  Legitimate  e-mail  often 
gets  blocked,  and  spam  gets  through.  In  reality,  a 
knowledgeable  user  is  the  best  anti-spam  device. 

1  am  constantly  amazed  at  how  many  people 
are  still  victims  of  e-mail  cons.  Every  week  people 
submit  their  credit  card  information  to  unknown 
Web  sites  to  reactivate  accounts  they  didn’t  know 


they  had,  or  send  their  bank  account  information 
to  foreign  nationals  so  they  can  deposit  the  for¬ 
tunes  they  just  obtained. 

Common  sense  is  the  best  defense  against 
becoming  a  victim  of  spam.  Never  send  your 
bank  account  information  to  anyone  via  e-mail. 

Common  sense  is  the  best 
defense  against  becoming 
a  victim  of  spam. 

Never  enter  your  credit  card  information  unless 
you  have  verified  the  validity  of  a  Web  site.  And 
no  matter  what  the  e-mail  says,  the  IRS  never, 
repeat  never,  gives  someone  an  additional  tax 
return. 

Once  you’re  aware  of  the  issues  with  spam  and 
know  how  to  manage  the  risks,  it  actually  can  be 
quite  entertaining.  For  example,  I  just  checked  my 
Internet  e-mail  and  found  that:  1)  the  eBay 
account  I  didn’t  realize  I  had  has  been  suspend¬ 
ed  five  times  and  all  I  need  to  do  is  re-enter  my 
credit  card  information  to  reactive  it;  2)  1  won’t 


need  eBay  anymore,  however,  as  there  are  two 
Nigerian  nationals  who  want  to  share  with  me 
the  large  sums  of  money  they  took  before  their 
exile,  and  all  I  have  to  do  is  send  them  my  bank 
account  information  so  they  can  deposit  it;  3)  my 
e-mail  address, an  Italian  Web  site  informs  me,  has 
been  selected  as  the  winner  in  a  multimillion- 
dollar  international  lottery,  and  all  I  need  to  do  is 
send  them  my  bank  account  information;  4)  I 
can  now  easily  obtain  from  foreign  pharmacies 
substances  to  enhance  various  parts  of  my  body, 
so  I  need  that  money;  and  5)  there  is  a  large  num¬ 
ber  of  lonely  married  women  in  my  town  looking 
for  a  date,  so  email  No.  4  is  good  news. 

Of  the  15  e-mails  in  my  in-box,  only  one  was 
legitimate.  That  was  an  e-mail  from  Network 
World  stating  that  1  needed  to  revalidate  my  eli¬ 
gibility  to  continue  receiving  a  subscription.  But 
I  write  for  Network  World ....  Oh  well,  at  least  it’s 
not  spam. 

Yoke  is  director  of  strategy  and  architecture  for  a 
global  travel  and  real  estate  corporation.  He  can 
be  reached  at  ckyoke@yahoo.com. 


Bandwidth  management  is  here  to  stay 


Bandwidth  management  is  broadly  defined 
as  the  control  of  traffic  in  a  network.  It  can 
encompass  numerous  techniques,  includ¬ 
ing  WAN  optimization;  WAN,  SSL,  XML  and  appli¬ 
cation  acceleration;  bandwidth  allocation;  band¬ 
width  shaping;  QoS;  and  network  caches.  Almost 
all  these  techniques  have  become  niche  busi¬ 
ness  opportunities  for  vendors.  Today,  there  are 
more  than  25  bandwidth  management  vendors. 

Discrete  market-size  projections  vary,  and 
industry  terminology  is  in  question. Still,  it  is  easy 
to  see  why  Cisco  decided  to  embrace  the  market 
in  December  with  its  Services  Oriented 
Networking  Architecture  and  a  new  internal 
business  group  called  Application  Network 
Services.  Cisco’s  contention  that  bandwidth 
management  is  the  next  $1  billion  opportunity 
seemed  far-fetched  until  one  realized  Cisco 
tossed  almost  every  form  of  bandwidth  manage¬ 
ment  opportunity  into  the  mix. 

According  to  a  May  2005  study  by  IDC,  WAN 
optimization  revenue  was  $255  million  in  2004 
and  is  projected  to  be  $61 1  million  in  2009,  for  a 
compound  annual  growth  rate  (CAGR)  of  19.1%. 
In  a  similar  study  from  June  2005,  Gartner  listed 
application-acceleration  equipment  revenue  at 
$967  million  in  2004  ($556  million  for  applica¬ 
tion  delivery  acceleration  and  $411  million  for 
network  performance  optimization)  and 
expects  it  to  reach  $2.3  billion  by  2009,  for  a 
CAGR  of  18.9%.These  are  not  insignificant  num¬ 
bers.  (For  readers’ thoughts  on  application  accel¬ 
eration  and  other  versions  of  bandwidth  man¬ 
agement  across  the  WAN,  see  the  forum  at 
www.nwdocfinder.com/2823.) 

The  bandwidth  management  marketplace  is 
wide  open,  with  no  standards  or  even  clear,  uni¬ 


fied  definitions  of  the  technologies.  The  main 
marketing  promises  to  the  customer  are  the  same: 
reduced  transmission  latency  and  cost  control. 

Why  do  so  many  alternatives  exist?  The  answer 
lies  in  the  foundation  and  success  of  the 
Internet.  No  network  protocol  has  a  life 
expectancy  of  forever.  IP  has  had  the  good  for¬ 
tune  of  being  improvable  and  extensible 
through  IETF  guidance  and  continues  to  meet 

The  future  is  obvious: 
Develop  a  service- 
oriented  architecture  and 
use  Web  services. 

corporate  and  service  provider  needs.  The  same 
cannot  be  said  for  the  IP  protocols  TCP  and  FTP 
and  higher-layer  industry  protocols  such  as 
HTTP  DNS,  SSL,  XML  and  Session  Initiation 
Protocol.  Over  the  years,  TCP  and  FTP  have 
proven  reliable  workhorses  but  also  have 
become  application  latency  liabilities.  With 
greater  bandwidth  availability  and  corporate 
usage,  the  same  is  becoming  true  of  almost  all 
higher-layer  protocols. 

The  future  is  obvious:  Develop  a  service- 
oriented  architecture  (SOA)  and  use  Web  ser¬ 
vices.  A  major  benefit  of  an  SOA  is  the  decou¬ 
pling  of  application  business  logic  from  underly¬ 
ing  layered  technology  services. Today  however, 
enhancing  and  extending  transmission  proto¬ 
cols  is  not  application-transparent  and  non- 
invasive.  Almost  all  application  software  is  in 
some  way  closely  coupled  to  higher-layer  trans¬ 
mission  protocols.  Changing  the  protocol 
requires  changing  the  application  —  not  a  short¬ 


term  corporate  option.  Embedding  bandwidth 
management  features  in  switches,  routers, 
servers, storage  and  clients  is  impossible  without 
industry  standards,  management  systems  and 
upgrades  of  internal  processing  and  memory; 
therefore,  bandwidth  management  appliances 
and  software  are  the  solution. 

The  bandwidth  management  marketplace  is 
broad  but  fragmented.  Numerous  overlapping 
products  exist  for  a  complex  suite  of  problems. 
Bandwidth  will  never  be  free  even  in  the  LAN.  In 
the  past,  fixing  a  latency  or  contention  problem 
was  easy:  Add  more  bandwidth.  That  form  of 
operational  management  sloppiness  cannot 
exist  today.  More  bandwidth  at  less  cost  is 
becoming  a  critical  corporate  issue.  The  lack  of 
standards  is  a  serious  industry  issue.  Proprietary 
vendor  concepts  and  implementations  create 
homogeneous  rather  than  heterogeneous  cus¬ 
tomer  and  vendor  environments.  Replacing  an 
incumbent  vendor  is  a  difficult  task.  No  industry 
leadership  or  focus  exists  to  fix  the  inherent 
problems  of  such  protocols  as  TCP  and  FTP  The 
battle  for  control  within  the  corporation 
between  IT  and  networking  for  bandwidth  man¬ 
agement  and  application  intelligence  control  is 
subtle  but  brewing. 

Bandwidth  management  is  here  to  stay  as  long 
as  delivering  a  high  quality  of  corporate  cus¬ 
tomer  satisfaction  is  important  to  the  bottom 
line.  Like  it  or  not,  bandwidth  management  appli¬ 
ances  and  software  will  always  exist. 

Dzubeck  is  president  of  Communications 
Network  Architects,  an  industry  analysis  firm  in 
Washington,  D.C.  He  can  be  reached  at 
fdzubeck@commnetarch.  com. 
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Network  access  control 

continued  from  page  1 

Before  diving  into  the  who’s  who  of  NAC, 
it’s  important  to  understand  its  basic  ele¬ 
ments  (see  NAC  primer, below). 

There  are  three  fundamental  approaches 
to  NAC  based  on  where  the  access  control 
is  being  enforced  in  the  enterprise:  edge 
control,  core  control  and  client  control. 

Edge  control  takes  the  principle  of  the 
firewall  and  pushes  it  to  the  edge  of  the  net¬ 
work,  where  systems  connect.  If  you  are  pro¬ 
tecting  a  LAN,  the  individual  switch  port  be¬ 
comes  the  NAC  control  point.  If  you  are 
working  with  a  VPN  connection,  the  IPSec 
concentrator  or  the  SSL  VPN  device  is  in 
charge  of  enforcing  access  controls.  In  a 
wireless  environment,  the  access  point  or 
wireless  switch  plays  the  NAC  role. 

In  the  core  control  schema,  controls  can 
be  enforced  anywhere  in  the  network  pro¬ 
viding  it’s  in  deeper  than  the  edge  device. 
You  could  insert  a  NAC  device  inline,  or  as 
a  passive  tap,  between  edge  switches  and 
the  core,  where  it  would  collect  authentica¬ 
tion  and  endpoint  security  information, 
and  then  enforce  the  appropriate  access 
control  policy.  These  devices  (such  as 


Generic  network  access  control  at 
its  core  is  a  simple  concept:  Who 
you  are  should  govern  what  you're 
allowed  to  do  on  the  network.  When  all 
of  the  parts  are  in  place,  NAC  will  be  a 
way  to  apply  a  policy  for  network  ac¬ 
cess  across  LAN,  wireless  and  VPN  in¬ 
frastructures.  The  access  control  policy 
in  NAC  could  range  from  simple,  such 
as  a  go/no-go  decision  on  network  ac¬ 
cess  or  a  choice  of  virtual  LANs,  or  it 
could  be  as  complex  as  a  set  of  per-user 
firewall  rules  defining  which  parts  of  the 
network  are  accessible. 

Within  a  NAC  deployment,  the  IT  man¬ 
ager  uses  three  main  elements  to  pick 
an  access  control  policy:  authentication, 
endpoint  security  assessment  and  net¬ 
work  environmental  information. 

Authentication  is  the  straightforward 
“Who  are  you?"  transaction  that  users 
are  accustomed  to  with  other  applica¬ 
tions.  As  a  concept,  NAC  doesn't  have 
any  special  requirements  for  authentica¬ 
tion.  A  good  NAC  deployment  would  use 
the  same  authentication  system  as 
other  applications.  For  example,  if  you’re 
applying  NAC  to  a  remote  access  IPSec 
VPN  tunnel,  you  should  use  the  same 
authentication  to  bring  up  the  IPSec 
tunnel  as  you  do  to  authenticate  a  user. 

Endpoint  security  assessment  is  the 
most  complex  part  of  selecting  a  policy 


Lockdown  Network’s 
Enforcer)  inspect  traf¬ 
fic  or  control  plane 
information  passing 
by  and  reach  into  the  network  to  change 
configuration  to  apply  enforcement. 

The  client  control  approach  focuses  on 
the  end  system  connecting  to  the  network 
where  greater  attention  is  paid  to  the  man¬ 
agement  and  control  of  the  end  system.The 
Senforce  Endpoint  Security  Suite  installs  a 
fairly  heavyweight  application  on  each  end 
system  that  enforces  NAC  policies  and  local 
access  controls,  such  as  disabling  wireless 
access  if  the  VPN  client  isn’t  in  use.  An  end¬ 
point  protected  by  this  kind  of  tool  inherits 
a  strong  set  of  security  protections,  such  as 
personal  firewall,  USB  device  locking  and 
wireless  controls  that  might  be  difficult  (or 
impossible)  to  assemble  and  manage  from 
a  slew  of  other  NAC  vendors. 

While  the  client  control  approaches  are 
attractive  from  a  lower  budget  and  simplis¬ 
tic  management  point  of  view,  they  don’t 
strongly  overlap  with  NAC  approaches  that 
integrate  with  the  network  to  help  to  de¬ 
fend  itself,  to  force  user  authentication  or  to 
provide  identity-based  access  controls. 

None  of  the  NAC  frameworks  touted  by 


in  NAC,  but  it’s  also  the  driving  factor 
for  deploying  NAC  in  the  first  place.  The 
underlying  idea  is  that  the  security  pos¬ 
ture  of  the  connecting  laptop,  desktop  or 
server  should  be  a  part  of  access  con¬ 
trol  policies.  For  example,  if  a  connecting 
system  doesn’t  have  the  standard  cor¬ 
porate  anti-virus  package,  the  user 
should  get  a  different  access  control 
policy  than  if  everything  is  installed  and 
all  the  signatures  are  up-to-date. 

Network  environmental  information  is 
a  small  but  important  part  of  selecting 
access  policies  in  a  NAC  scheme.  En¬ 
vironmental  information  might  be  cir¬ 
cumstantial  data  about  whether  you're 
connecting  via  a  wireless  network  or 
through  a  VPN,  or  whether  you're  in  the 
building  or  in  another  country.  These  cir¬ 
cumstances  play  into  the  decision  of 
what  access  control  policy  is  assigned 
to  the  connecting  system.  For  example,  if 
you're  coming  in  on  a  VPN,  you  might  not 
be  able  to  get  to  as  many  parts  of  the 
network  as  if  you  were  in  the  building. 

NAC  is  a  hot  buzzword;  therefore,  this 
component- level  definition  of  what  NAC 
is  won't  map  directly  to  all  NAC  prod¬ 
ucts  and  architectures.  But  most  prod¬ 
ucts  being  offered  as  part  of  an  overall 
NAC  strategy  include  at  least  some 
component,  if  not  all,  of  this  definition. 

—  Joel  Snyder 


the  major  network 
players  fits  neatly  into 
any  single  deployment 
category  For  example, 
as  a  manufacturer  of  firewalls  and  SSL  VPN 
devices  (but  not  switches),  Juniper’s  Infra- 
net  NAC  strategy  is  very  much  core-control 
oriented  —  except  when  the  controls  are 
being  applied  to  SSL  VPN  users,  in  which 
case  the  strategy  looks  more  like  an  edge- 
control  one.  Similarly  Ciscos  own  Network 
Admission  Control  is  more  focused  on  the 
edge  device  and  is  designed  to  behave  like 
an  edge-control  strategy  because  Cisco  con¬ 
trols  the  majority  of  enterprise  switches  in 
wiring  closets.  Cisco  also  includes  controls 
upstream  from  those  switches  to  handle  en¬ 
vironments  where  old  switches  that  can’t 
handle  NAC  are  installed,  so  its  underlying 
NAC  architecture  encompasses  core-con¬ 
trol  aspects  as  well. 

There  are  other  distinguishing  character¬ 
istics  between  NAC  approaches.  Some  ven¬ 
dors  consider  the  endpoint  security  assess¬ 
ment  to  be  a  one-time  check  at  system  con¬ 
nection,  while  others  take  a  continuous 
approach,  constantly  checking  and  verify¬ 
ing  the  state  of  endpoint  security.  Some 
tightly  focus  on  endpoint  security  as  the 
key  reason  for  implementing  NAC,  while 
others  hone  in  on  authentication  and  pol¬ 
icy  as  the  prime  pieces.  Some  only  work 
well  in  environments  where  their  own 
agent  is  installed  on  the  endpoint  while 
others  attempt  to  embrace  environments 
where  no  agent  is  available. 

Although  these  three  implementation 
approaches  let  you  start  to  winnow  your 
NAC  choices,  you  have  to  dive  deeper  into 
the  proposed  architectures  to  further  de¬ 
cide  what  works  best  in  your  network. 

The  first  difficulty  in  evaluating  NAC  archi¬ 
tectures  is  there  is  a  lot  of  paperwork  but  not 
a  lot  of  products.  For  example,  when  Micro¬ 
soft  threw  its  hat  into  the  NAC  ring  with 
Network  Access  Protection  in  July  2004,  it 
used  the  network’s  DHCP  server  as  one  of 
the  primary  enforcement  mechanisms.  If 
you  didn’t  pass  the  appropriate  endpoint 
security  checks, you  got  an  IP  address  regu¬ 
lating  you  to  the  land  of  quarantine  so  that 
you  could  not  disturb  the  rest  of  the  net¬ 
work,  but  you  couldn’t  fix  your  problems. 

While  that  approach  works  great  with  a 
cooperative  user  community,  it  doesn’t  pro¬ 
tect  well  against  a  malicious  user  looking  to 
gain  unauthorized  network  access.  In  re¬ 
sponse,  Microsoft  changed  its  architecture 
by  adding  a  stronger  enforcement  mecha¬ 
nism  based  on  802.  IX. 

That  was  easy,  because  all  Microsoft  had 
to  do  was  adjust  a  few  white  papers  on  its 
site  to  include  this  stronger  enforcement. 
And  while  the  current  set  of  forecasts  are 
that  Network  Access  Protection  will  ship 
with  the  Vista  version  of  Windows,  expected 
late  this  year  or  early  2007,  there’s  no 
promise  that  what  comes  out  on  those  gold 
master  CDs  will  include  all  the  features  in 
the  NAC  architecture. 


Microsoft  isn’t  the  only  vendor  with  a 
paucity  of  products. The  TCG,  a  nonprofit 
industry-based  standards  organization  com¬ 
prising  interested  vendors,  has  been  work¬ 
ing  on  its  Trusted  Network  Connect  scheme 
since  mid-2004  and  still  doesn’t  have  a  com¬ 
pleted  architecture. The  Trusted  Network 
Connect  framework  includes  six  separate 
protocols  to  build  a  complete  system,  but 
only  two  of  these  have  been  fully  defined, 
making  it  impossible  to  have  a  fully  de¬ 
ployed  Trusted  Network  Connect  NAC  net- 
work.TCG  has  promised  the  rest  of  the  pro¬ 
tocols  any  day  now 

Start  with  a  little  TCG 

That  said,  the  best  starting  point  for  evalu¬ 
ating  NAC  architecture  is  with  the  TCG’s 
Trusted  Network  Connect  because  its  speci¬ 
fications  are  created  in  an  open,  vendor- 
neutral  environment  and  can  be  used  as  a 
good  model  just  to  get  the  terminology 
straight.  Every  proposed  NAC  strategy  can 
be  mapped  to  the  Trusted  Network  Connect 
architecture,  but  that  doesn’t  mean  Trusted 
Network  Connect  is  a  superset  of  other 
products.  Many  NAC  vendors  add  features 
not  explicitly  discussed  by  TCG,  such  as 
control  of  personal  firewall  or  continuous 
rechecking  of  endpoint  security  status. 
Other  NAC  vendors  handle  cases  that  are 
not  discussed  in  the  TCG  architecture,  such 
as  how  to  provide  access  controls  when  the 
end  system  is  a  guest  laptop  and  doesn’t 
have  all  the  necessary  software  installed. 

The  Trusted  Network  Connect  architec¬ 
ture  divides  the  NAC  problem  into  three  en¬ 
tities:  the  Access  Requestor,  the  Fblicy  En¬ 
forcement  Fbint  and  the  Policy  Decision 
Point  (see  diagram,  page  40). 

TCG’s  Access  Requestor  is  a  combination 
of  the  entity  trying  to  gain  access  to  the  net¬ 
work, such  as  a  laptop  or  desktop  computer, 
and  the  software  and  drivers  that  imple¬ 
ment  authentication  and  endpoint  security 
assessment  processes.  TCG  divides  the  Ac¬ 
cess  Requestor  into  three  smaller  pieces.  At 
the  bottom  is  a  Network  Access  Requestor, 
software  used  by  the  client  to  connect  to 
the  network,  request  access  and  provide 
authentication.  For  example, an  802. IX  sup¬ 
plicant  or  an  IPSec  VPN  client  could  serve 
as  a  network  access  requester. 

Integrity  Measurement  Collectors,  soft¬ 
ware  components  responsible  for  evaluat¬ 
ing  the  security  posture  of  the  end  system, 
are  on  top  of  the  Network  Access  Requestor, 
still  on  the  client  system  and  part  of  the  ac¬ 
cess.  If  your  policy  is  defined  such  that 
everyone  has  to  be  running  anti-virus  soft¬ 
ware,  then  your  anti-virus  vendor  would  pro¬ 
vide  a  plug-in  that  serves  up  status  informa¬ 
tion  on  its  software. TCG  divides  this  task 
into  two  pieces:  the  Integrity  Measurement 
Collectors,  and  the  Trusted  Network  Con¬ 
nect  client  that  collects  information  from 
the  Integrity  Measurement  Collectors  and 
helps  package  it  up  for  policy  evaluation. 

The  Trusted  Network  Connect  NAC  Policy 
See  Network  access  control,  page  40 
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Enforcement  Point  is  exactly  as  it  sounds: 
the  point  at  which  policy  is  enforced.TCG’s 
NAC  doesn’t  describe  what  kinds  of  policy- 
based  enforcement  mechanisms  are  avail¬ 
able,  probably  to  remain  as  vendor  neutral 
as  possible,  although  the  architectural  doc¬ 
uments  describe  how  quarantine  and 
remediation  might  be  part  of  policy 
enforcement. 

The  Trusted  Network  Connect  NAC  Policy 
Decision  Point  also  is  divided  into  three 
parts.The  bottom  piece,  which  is  in  charge 
of  talking  to  the  authentication  server  and 
communicating  decisions  to  the  Policy 
Enforcement  Point,  is  the  Network  Access 
Authority  In  a  typical  network,  this  would 
likely  be  an  AAA  (authentication,  autho¬ 
rization  and  accounting)  server. 

Behind  the  Network  Access  Authority  are 
Integrity  Measurement  Verifiers.  These  are 
the  counterparts  to  the  Integrity  Meas¬ 
urement  Collectors  on  the  client.  They  re¬ 
ceive  the  reports  the  Client  Integrity 
Measurement  collectors  send  and  provide 
verification  information  back  to  the  Net¬ 
work  Access  Authority  The  verifiers  and  the 
collectors  are  a  matched  set.They  can  talk 
to  each  other  through  a  tunnel  provided  by 
all  the  other  pieces  of  the  NAC  architecture, 
using  whatever  proprietary  vendor-specific 
protocol  vendors  want. 

The  Trusted  Network  Connect  architec¬ 
ture  layers  a  thin  server  piece, 
called  the  TNC  server,  in  the  Policy 
Decision  Point  that  is  the  interface 
between  the  Integrity  Measure¬ 
ment  Verifiers  and  the  Network  Ac¬ 
cess  Authority 

The  Trusted  Network  Connect 
NAC  architecture  is  designed  to 
work  within  an  existing  802. IX 
authentication  and  authorization 
system.  If  you  rename  the 
client-side  network  Access 
Requestor  to  “802.  IX  sup¬ 
plicant”;  the  Policy  Enforce¬ 
ment  Point  to  “802.1X-com- 
patible  switch  or  access 
point”;  and  the  Network  Ac¬ 
cess  Authority  Policy 
Decision  Point  to  “802. IX 
RADIUS  server”,  then  the 
Trusted  Network  Connect 
NAC  plan  is  bits  of  software 
that  sit  on  top  of  an  existing 
802.  IX  deployment  to  add 
endpoint  security  assess¬ 
ment  to  the  mix. 

This  becomes  obvious  if 
you  look  at  the  protocols 
the  Trusted  Network  Con¬ 
nect  chose  to  publish  first. 

There  are  those  that  let  the 
vendor-supplied  integrity 
measurement  collectors 
talk  to  a  vendor-neutral 
Trusted  Network  Connect 


client  on  the  client 
system  and  those  that 
let  the  vendor-sup- 
plied  Integrity  Measurement  Verifier  talk  to 
the  vendor-neutral  Trusted  Network  Con¬ 
nect  server  on  the  Policy  Decision  Point 
end.  As  prototype  implementations  started 
showing  up,  Trusted  Network  Connect  re¬ 
lied  heavily  on  existing  802.  IX  mecha¬ 
nisms  such  as  authentication  and  tunnel¬ 
ing  to  get  the  other  pieces  to  work,  al¬ 
though  none  of  this  is  laid  out  explicitly  in 
the  architecture  documents. 

Focusing  on  802.  IX  does  not  mean  that 
the  Trusted  Network  Connect  architecture 
won’t  support  other  kinds  of  Policy  Enforce¬ 
ment  Points,  such  as  firewalls, VPN  concen¬ 
trators  or  core  switches.  But  it  does  mean 
that  anyone  trying  to  go  from  architecture 
to  implementation  using  the  Trusted  Net¬ 
work  Connect  documents  will  quickly  find 
even  more  missing  pieces,  at  least  at  this 
stage  of  the  architecture.  Important  parts  of 
the  big  picture,  such  as  how  the  Trusted 
Network  Connect  client  and  server  talk  to 
the  network  access  requestor  and  network 
access  authority  aren’t  called  out  for  future 
discussion  —  which  means  even  when  the 
architecture  is  completed  as  planned,  it 
won’t  be  fully  complete. 

While  TCG’s  Trusted  Network  Connect  ar¬ 
chitecture  is  a  well-constructed  way  to  think 
about  NAC,  refer  to  NAC  components  and 
compare  NAC  solutions,  it  doesn’t  yet  repre¬ 
sent  an  architecture  that’s  complete  enough 


to  be  used  to  begin 
implementation. 


Cisco's  network  control 

Cisco’s  Network  Admission  Control  can 
be  directly  mapped  to  TCG’s  NAC  architec¬ 
ture.  However,  because  Cisco  is  bound  by 
the  revenue  reality  of  its  installed  base,  the 
architecture  comprises  both  compromises 
in  and  extensions  beyond  what  TCG  offers. 

On  the  client  side,  TCG’s  Network  Access 
Requestor  and  the  Trusted  Network  Con¬ 
nect  client  are  covered  by  free  Cisco  Trust 
Agent  software.  TCG’s  Integrity  Measure¬ 
ment  Collectors  appear  in  the  Cisco  model 
as  vendor-provided  agents  and  as  (option¬ 
ally)  Cisco’s  own  Cisco  Secure  Access  prod¬ 
uct,  a  host  intrusion-prevention  system  it 
picked  up  with  its  2003  Okena  acquisition. 

Cisco  has  had  to  get  serious  about  the 
protocols  needed  to  handle  Network  Ad¬ 
mission  Control.  At  the  lowest  layer,  Cisco 
selected  the  Extensible  Authentication  Pro¬ 
tocol  (EAP).  While  EAP  was  designed  by 
the  IETF  for  authentication  and  is  used  in 
most  802. IX  deployments,  Cisco  has  devel¬ 
oped  its  own  proprietary  (but  publicly  dis¬ 
closed)  EAP  method,  called  EAP-FAST 
(Flexible  Authentication  via  Secure  Tunnel¬ 
ing).  With  EAP-FAST  in  place,  Cisco  can  in¬ 
clude  802.  IX  authentication  as  well  as  end¬ 
point  security  assessment  information 
wrapped  inside  the  EAP  protocol. 

Because  Cisco  wants  its  product  line  to 
work  with  more  than  802.1X-enabled 


switches,  Cisco  Trust  Agent  has  EAP-over- 
802. IX  and  EAP-over-User  Datagram  Pro¬ 
tocol  (UDP)  support.  With  this  dual  proto¬ 
col  support,  when  an  end  system  tries  to 
access  the  network  using  a  method  other 
than  802.  IX,  such  as  a  VPN  client  or  some¬ 
one  coming  in  through  a  non-802.1X 
switch,  the  EAP  traffic  travels  over  UDP  in¬ 
stead  of  directly  in  Ethernet  frames. 

The  critical  difference  between  the  802.  IX 
and  UDP  versions  of  Cisco’s  EARhowever.  In 
the  802.  IX  case,  EAP  includes  authentica¬ 
tion  and  endpoint  security  assessment  in¬ 
formation.  When  used  with  UDRCisco’s  NAC 
no  longer  does  authentication.  Instead,  the 
user  has  to  be  authenticated  via  some  other 
mechanism,  and  the  authentication  and 
user  credentials  are  no  longer  tightly  tied  to 
the  security  policy  for  that  user. 

This  lack  of  symmetry  between  802.  IX 
and  UDP  versions  of  Cisco’s  Network  Ad¬ 
mission  Control  means  that  access  and 
authentication  are  handled  differently  de¬ 
pending  on  whether  you  are  connecting 
via  LAN,  wireless  LAN  or  over  a  VPN  tunnel. 

A  further  symptom  of  this  unequal  sup¬ 
port  is  the  lack  of  wireless  support  in  the 
free  Cisco  Trust  Agent.  For  wireless  802.  IX, 
network  managers  will  have  to  replace  the 
freeware  Cisco  Trust  Agent  802.  IX  with  a  dif¬ 
ferent  802.  IX  supplicant  from  Meeting¬ 
house  Data  Communications  or  Funk  Soft¬ 
ware  (now  Juniper). The  real  focus  of  the 
current  version  of  Cisco’s  Network  Admis¬ 
sion  Control  is  endpoint  security  assess¬ 
ment  —  the  authentication  that 
comes  out  of  the  802.  IX  dialog  is 
really  a  fortunate  side  effect. 

As  a  dominant  manufacturer  of 
switches,  routers  and  VPN  de¬ 
vices,  Cisco  is  shouldered  with  the 
difficult  task  of  incorporating  Net¬ 
work  Admission  Control  into  its 
devices.  TCG’s  policy  enforce¬ 
ment  points  equate  in  Cisco’s  ar¬ 
chitecture  to  network  access  de¬ 
vices.  Cisco  has  pages  of  doc¬ 
umentation  explaining  which 
devices  will  support  the  differ¬ 
ent  client  scenarios:  EAP  over 
UDP  and  EAP  over  802.  IX. 

Summarizing  those  charts  is 
difficult  and  subject  to  dissen¬ 
sion;  Cisco’s  competitors  cite 
the  requirement  to  upgrade 
all  switches  as  a  major  disad¬ 
vantage  of  Cisco’s  approach, 
while  Cisco  believes  the 
majority  of  enterprise  cus¬ 
tomers  interested  in  Network 
Admission  Control  have  the 
right  equipment  in  place  and 
can  start  using  it  immediately 
One  very  clear  issue  is  that 
the  policy-enforcement  capa¬ 
bilities  of  different  devices 
vary  widely  Sending  full,  fine¬ 
grained  access  control  policies  to 
the  policy  enforcement  point  will 
See  Network  access  control,  page  41 


Walking  through  a  generic  NAG  process 


A  good  starting  point  for  evaluating  NAC  architecture  is  with  the  Trusted  Computing  Group’s 
Trusted  Network  Connect,  because  its  specifications  are  created  in  an  open,  vendor-neutral 
environment  and  can  be  used  as  a  good  model  just  to  get  the  terminology  straight  To  understand 
better  how  theTNC  terminology  relates  to  the  vendor-specific  vocabulary  offered  by  Cisco,  Juniper 
and  Microsoft,  refer  to  the  chart  on  page  41. 
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Each  Integrity  Measurement 
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only  be  possible  in  networks  with  limited 
sets  of  devices,  such  as  Ciscos  high-end 
6500  switches.  Ciscos  support  of  more 
coarse-grained  access  control,  such  as  vir¬ 
tual  LAN-based  isolation  or  even  wholesale 
go/no-go  access  to  the  network,  comprises 
the  capabilities  of  most  Cisco  products 
available  today 

Cisco  offers  a  second  approach  to  its  Net¬ 
work  Admission  Control  with  the  Cisco 
Clean  Access  appliance,  picked  up  with  the 
2004  Perfigo  acquisition.  This  appliance  is 
shoe-horned  into  Cisco’s  NAC  strategy  for 
companies  that  want  endpoint  security 
assessment,  but  don’t  want  to  change  their 
infrastructure  to  get  it.  The  long-term  inte¬ 
gration  between  the  Clean  Access  server,  the 
Clean  Access  agent  and  a  general  NAC 
scheme  is  uncertain,  largely  represented  by 
malleable  FbwerFbint  slides  that  are  likely 
subject  of  ongoing  debate  within  Cisco. 

The  Cisco  equivalent  to  the  TCG’s  back¬ 
end  policy  decision  point  is  Cisco’s  access 
control  server  and  a  series  of  interfaces  to 
third-party  policy,  authentication  and  audit 
servers.  Access  Control  Server, Version  4.0  or 
higher,  represents  the  Cisco  version  of  aTCG 


network  access 
authority  combined 
with  the  Trusted  Net¬ 
work  Connect  server. 

Integrity  measurement  verifiers,  called  pol¬ 
icy  server  decision  points  in  Cisco’s  archi¬ 
tecture,  connect  to  the  Access  Control 
Server  using  Cisco-defined  protocols. 

Cisco’s  architecture  reaches  beyond  TCG’s 
NAC  plan  with  audit  servers,  which  audit  the 
endpoint  security  status  of  devices  that  do 
not  have  the  Cisco  Trust  Agent  installed  on 
them. When  an  agentless  system  tries  to  con¬ 
nect  to  a  network  protected  by  Network  Ad¬ 
mission  Control,  the  policy  enforcement 
point  (network  access  device  in  Cisco’s  ter¬ 
minology)  can  detect  there  is  no  agent.  It 
then  can  sic  an  audit  server  on  the  end  sys¬ 
tem, either  by  trying  to  scan  the  system  from 
the  outside  or  by  trying  to  download  agent 
software  into  the  browser  allowing  an  audit 
to  occur.  Although  the  audit  server  fills  an 
architectural  hole,  it’s  not  very  clear  how 
much  useful  data  it  will  collect  or  whether  it 
will  be  sufficient  to  set  network  access  poli¬ 
cies  upon. 

Cisco’s  Network  Admission  Control  archi¬ 
tecture  is  a  serious  one,  and  it  is  backed  up 
by  decent  support  throughout  Cisco’s  prod¬ 
uct  line.There  are  some  ugly  spots,  though, 


such  as  the  lack  of  pol¬ 
icy  integration  when 
using  non-802.1X 
methods.  However, 
Cisco  has  struck  a  good  balance  between 
what  is  architecturally  elegant  and  what 
works  in  existing  enterprise  networks.  If 
there  is  a  weak  spot  in  Cisco’s  architecture, 
it’s  the  intense  focus  on  endpoint  security 
and  relative  inattention  paid  to  detailed  ac¬ 
cess  controls  and  authentication. 

Microsoft's  Network  Access  Protection 

The  most  significant  differences  between 
Microsoft’s  Network  Access  Protection  ar¬ 
chitecture  and  TCG’s  Trusted  Network 
Connect  result  from  the  fact  that  Microsoft 
doesn’t  make  switches  or  routers.Therefore, 
the  path  for  handling  enforcement  is  differ¬ 
ent,  focusing  on  the  SMB-friendly  DHCP 
rather  than  enterprise-sized  802. IX  — 
although  the  architecture  gives  a  nod  to  the 
latter  as  an  option. 

As  with  Trusted  Network  Connect,  the 
Microsoft  client  side  is  broken  into  three 
parts.  At  the  top  are  the  Microsoft  System 
Health  Agents,  taking  on  the  function  simi¬ 
lar  to  Integrity  Measurement  Collectors. 
These  agents  are  responsible  for  generating 
Statements  of  Health  that  can  be  used  to 


assess  endpoint  security  Tying  the  System 
Health  Agents  into  the  rest  of  the  architec¬ 
ture  is  Microsoft’s  Network  Access  Pro¬ 
tection  Agent,  analogous  to  TCG’s  Trusted 
Network  Connect  Client.  Below  the  Net¬ 
work  Access  Protection  Agent  are  Micro¬ 
soft’s  Enforcement  Clients,  which  line  up 
with  TCG’s  Network  Access  Requestor. 
These  Enforcement  Clients,  typically  802.1X 
supplicants  or  VPN  clients  in  other  archi¬ 
tectures,  also  include  DHCP  client  capabili¬ 
ties  in  Microsoft’s  world. 

Microsoft’s  architectural  white  papers 
define  clients  for  DHCP  Point-to-Point 
Protocol/Layer  2  Tunneling  Protocol 
(PPP/L2TP),  and  IPSec  network  access. 
More  importantly,  though,  is  that  Microsoft 
has  defined  the  API  connecting  its  three 
layers  of  Network  Access  Protection  on  the 
client.  By  creating  an  API  that  describes 
how  the  three  pieces  of  the  client  will  fit  to¬ 
gether,  Microsoft  eliminates  an  enormous 
amount  of  risk  and  variability  in  the  entire 
Network  Access  Control  space.  Even  if 
Microsoft’s  entire  Network  Access  Pro¬ 
tection  product  plans  were  jettisoned  inter¬ 
nally,  the  contribution  of  having  these 
defined  APIs  shipping  with  Windows  can¬ 
not  be  underestimated. 

See  Network  access  control,  page  42 
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Mapping  NAG  terms  across  vendors 

While  we've  pointed  to  theTrusted  Computing  Group'sTrusted  Network  Connect  architecture  as  the  one  to  use 
to  get  a  handle  on  NAC  terminology  in  general,  this  chart  shows  how  vendor-specific  terms  relate  to  each  other. 


Trusted  Computing  Group 
Trusted  Network  Connect 
terminology  (TNC) 

What  is  it? 

Cisco  Network  Admission 
Control  terminology 

Microsoft  Network  Access 
Protection  terminology 

Juniper  Infranet 
terminology 

Giient-side  components, 
collectively  called  the 
“Access  Requestor” 

Integrity  Measurement 

Collector 

Third-party  software  that  runs  on  the  client  and 
collects  information  on  security  status  and 
applications,  such  as  is  A/V  enabled  and  up-to-date? 

Applications,  through  plug-ins  to 
the  Cisco  Trust  Agent,  including 
Cisco’s  own  Cisco  Security  Agent. 

System  Health  Agent  uses  its  own 
API  to  communicate  with  Network 
Access  Protection  Agent. 

Supports  third-party  Integrity 
Measurement  CoBecton  and  you  can  use 
Juniper's  Host  Checker. 

Trusted  Network  Connect 

Client 

“Middleware”  that  runs  on  the  client  and  talks  to  the 
Integrity  Measurement  Collectors  (IMC)  collecting 
their  data  and  passing  it  to  Network  Access  Requestor. 

Cisco  Trust  Agent  or,  if  none  is 
there,  Cisco  Network  Admission 
Control  Agentless  Host. 

Network  Access  Protection  Agent 
uses  its  own  API  to  communicate 
with  Enforcement  Client. 

Infranet  Agent  includes  this  function. 

Network  Access 

Requestor 

Client-side  software  that  connects  the  client  to  the 
network.  Typical  examples  might  be  802.1X  supplicant, 
IPSec  VPN  client,  or  (in  Microsoft’s  NAP)  DHCP 
client.  Used  to  authenticate  the  user,  but  also  as  a 
conduit  for  IMC  data  to  make  it  to  the  other  side. 

Cisco  Trust  Agent  incorporates 
the  communications,  with  options 
for  using  integrated  or 
standalone  802.1X  supplicants. 

Enforcement  Client 

Infranet  Agent,  using  either  Juniper's 
Enterprise  infranet  Agent  with  their 
own  framework  or  the  Odyssey  Agent 
which  uses  TCG  protocols  above. 

Network-side  components 

Policy  Enforcement  Point 

Component  within  the  network  that  enforces  policy, 
typically  an  802.1X-capable  switch  or  wireless  LAN, 
VPN  gateway  or  firewall. 

Network  Access  Device 

Enforcement  Server 

Enterprise  Infranet  Enforcer 

Network  management 
components,  collectively, 
the  “Nicy  Decision 
Point” 

Integrity  Measurement 

Verifier 

Third-party  software  that  receives  status  information 
from  Integrity  Measurement  Collectors  on  clients 
and  validates  the  status  information  against  stated 
network  policy,  returning  a  status  to  the  TNC  Server. 

Policy  Decision  Points  also  called 
the  Policy  Vendor  Server. 

System  Health  Verifier  API  to 
Network  Access  Protection 
Administration  Server  below. 

No  specific  term  but  tfie  function 
can  occur  directly  on  the  Infranet 
Controller  or  can  call  out  using  the 
Host  Check  API. 

Trusted  Network  Connect 

Server 

"Middleware"  acting  as  an  interface  between  multiple 
Integrity  Measurement  Verifiers  (IMV)  and  the 
Network  Access  Authority. 

This  function  is  incorporated  into 
the  Policy  Server  Decision  Points. 

Network  Access  Protection 
Administration  Server 

Part  of  Unified  Access  Control  Policy 
incorporated  into  policy  server, 
through  Host  Check  Server  Integration 
Interface,  Host  Check  policies  or 
through  interfaces  with  TNC-TCG 
IMC/IMVs. 

Network  Access  Authority 

A  server  responsible  for  validating  authentication 
and  posture  information  and  passing  policy  information 
back  to  the  Policy  Enforcement  Point. 

Access  Control  Server  v4.0 

Network  Policy  Server  (replaces 
the  Microsoft  IAS  RADIUS  server) 

Enterprise  Infranet  Controller 
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Network  access  control 

continued  from  page  41 

Of  course,  the  trick  will  be  convincing 
every  other  NAC  architect  in  the  industry 
that  Microsoft’s  API  is  both  necessary  to  a 
good  NAC  design  and  sufficient  for  the  task. 
No  vendor  is  proposing  to  make  this  mid¬ 
dleware  piece  a  moneymaking  differentia¬ 
tor.  It  simply  exists  to  let  desktop  security 
vendors  have  a  way  of  communicating  the 
status  of  their  products  back  to  the  Policy 
Decision  Points.  By  simply  adopting  Micro¬ 
soft’s  model,  which  happens  to  mesh 
almost  perfectly  with  the  other  important 
NAC  models,  IT  managers  won’t  have  to 
worry  about  interoperability  or  vendor 
lock-in  at  that  point  in  the  scheme. 

The  role  of  Policy  Enforcement  Point  in 
Microsoft’s  architecture  is  assumed  by 
Enforcement  Servers.  Because  Microsoft 
doesn’t  make  switch  or  router  hardware,  its 
engineers  originally  envisioned  access  con¬ 
trol  enforcement  as  a  service  rather  than  a 
choke-point  type  control  that  a  company 
such  as  Cisco  might  consider  as  the  more 
natural  approach. 

With  Vista/Longhorn,  Microsoft  says  it  will 
release  Enforcement  Servers  as  part  of  its 
own  Routing  and  Remote  Access  Service 
(RRAS)-based  VPN  servers,  operating  both 
at  the  Point-to-Pbint  Tunneling  Protocol  and 
L2TP  layers  as  well  as  at  the  IPSec  layer.  It’s 
very  clear  from  the  public  documents 
Microsoft  has  released  that  it  views 
Network  Access  Protection  primarily  as  a 
tool  for  giving  users  either  no  access,  full  ac¬ 
cess,  or  limited  access  to  some  sort  of  reme¬ 
diation  and  quarantine  network. 

The  lack  of  a  firm  place  for  authentication 
in  Microsoft’s  architecture  shows  that  this 
product  family  is  primarily  designed  to 
help  existing  managed  desktops  and  lap¬ 
tops  in  a  Microsoft  domain  environment 
stay  compliant  with  end  point  security 
policies,  rather  than  as  a  generic  network 
access  control  mechanism. 

At  the  back  end  Policy  Decision  Point, 
Microsoft  offers  its  new  Network  Policy 
Server,  a  RADIUS-based  server  replacing 
Microsoft’s  older  Internet  Authentication 
Server.  Network  Policy  Server  will  ship  in 
new  versions  of  Windows.  The  Network 
Policy  Server  contains  the  functionality  of 
TCG’s  Network  Access  Authority,  includ¬ 
ing  authentication  and  policy  manage- 
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Why  NAC  schemes  abound 

Even  though  Microsoft,  Trusted  Computing  Group 
and  Cisco  have  nearly  identical  NAC  architectures, 
they  are  all  incompatible.  Lab  Alliance  member  Joel 
Snyder  makes  some  educated  guesses  as  to  why 
that  is  the  case. 
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ment,  with  a  separate 
Network  Access  Pro¬ 
tection  Admin¬ 
istration  Server,  which  handles  the  same 
functions  of  the  TCG’s  Trusted  Network 
Connect  Server  component,  gluing  the 
authentication  server  to  third-party  health 
verifier  plug-ins.  On  top  of  the  Admin¬ 
istration  Server,  using  a  Microsoft-defined 
API,  are  System  Health  Verifiers,  the  equiva¬ 
lent  of  TCG’s  Integrity  Measurement  Veri¬ 
fiers,  which  receive  Statements  of  Health 
from  System  Health  Agents  on  the  client 
and  provide  answers  back  to  the  Admin¬ 
istration  Server. 

Like  the  TCG  architecture,  Microsoft’s  Net¬ 
work  Access  Protection  is  accompanied  by 
a  great  deal  of  hand  waving  when  it  comes 


difficult  call  to  make  at 
this  stage  in  the  NAC 
product  life  cycle. 

Juniper's  Infranet 

Although  it  is  possible  to  map  the  basic 
components  in  the  Juniper  Infranet  to 
TCG’s  Trusted  Network  Connect  architec¬ 
ture,  the  reality  is  that  Juniper  is  trying  to 
accomplish  very  different  things,  focusing 
on  firewall  and  access  control,  with  less 
emphasis  on  endpoint  security 
Juniper  breaks  from  other  vendor’s  NAC 
architectures  in  the  amount  of  control  that 
it  gives  the  network  manager  when  build¬ 
ing  a  NAC  infrastructure.  Juniper’s  strategy  is 
very  dependent  on  both  authentication 
and  on  detailed  access  control  using  its 
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IT  managers  are  now  presented  with  an 
overwhelming  number  of  architectures 
promising  tools  that  will  help  create  a  strong  link 
between  users,  end  systems  and  access  to 
network  resources. 


to  the  actual  protocols  and  data  streams 
involved  in  making  the  client,  the  Enforce¬ 
ment  Server,  and  the  Network  Policy  Server 
all  talk  to  each  other.  In  the  case  of  Micro¬ 
soft’s  original  DHCP  and  RRAS-based  En¬ 
forcement  Servers,  it’s  all  Microsoft  software, 
so  having  an  open  protocol  is  not  really  crit¬ 
ical.  However,  when  it  comes  to  the  802.  IX 
Enforcement  Servers,  currently  available 
public  documents  leave  a  great  deal  unsaid 
as  to  how  this  will  actually  work. 

Microsoft  also  throws  an  interesting  mon¬ 
key  wrench  into  the  works  with  its  concept 
of  a  “Health  Certificate.”  Using  a  combina¬ 
tion  of  existing  products  to  create  a  Web- 
based  public-key  infrastructure  server 
called  a  Health  Certificate  Server,  Micro¬ 
soft’s  NAC  scheme  supports  creating  a  digi¬ 
tal  certificate  that  can  be  used  in  place  of 
Statements  of  Health. 

Rather  than  try  and  send  Statements  of 
Health  around  at  authentication  time,  a 
client  proves  its  health  to  the  Health 
Certificate  Server  using  normal  System 
Health  Agents  and  Statements  of  Health.  It 
then  receives  a  digital  certificate  that  it  can 
use  instead  of  normal  user  credentials  for 
authentication  using  802. IX  or  IPSec.  Using 
certificates  in  this  way  is  a  logical  out¬ 
growth  of  Microsoft’s  VPN  strategy,  in  which 
the  IPSec  authentication  is  largely  irrele¬ 
vant;  instead,  the  L2TP  authentication  that 
Microsoft  clients  run  on  top  of  IPSec  is 
where  the  user  actually  proves  his  identity 

The  benefits  of  this  complex  system  of 
using  Health  Certificates  are  not  clear.  It’s 
likely  the  goal  is  to  increase  perceived  per¬ 
formance  by  separating  out  the  work  of 
determining  system  health  from  actually 
connecting  to  network  resources.  Whether 
this  perception  will  be  worth  the  increase 
in  complexity  and  decrease  in  security  is  a 


firewalls.  The  result  is  that  when  someone 
enters  a  network  under  Juniper’s  NAC  con¬ 
trol,  every  connection  goes  through  a  state¬ 
ful  packet  filtering  firewall,  can  be  encrypt¬ 
ed  and  is  explicitly  tied  to  an  access  control 
policy  based  on  a  user’s  identity 

For  example,  when  a  system  enters  a  net¬ 
work  under  Microsoft  Network  Access  Pro¬ 
tection  with  DHCP  the  main  concern  is 
whether  the  user  has  the  appropriate  level 
of  endpoint  security  If  so,  the  user  is  given 
unlimited  access  to  the  network.  With 
Juniper’s  Infranet,  the  endpoint  security 
assessment  of  the  user  is  optional,  but  the 
identity-based  access  control  policy  is  not. 

This  philosophical  difference  has  one 
benefit:  it  makes  it  easier  to  decide  whether 
the  Juniper  approach  is  right  for  you,  and 
whether  this  level  of  authentication, security 
and  access  control  is  what  you’re  looking 
for  —  or  whether  you  mostly  care  about 
endpoint  security  assessments. 

On  the  client  end,  Juniper  uses  its  Enter¬ 
prise  Infranet  Agent  as  the  focal  point  for 
client  management.The  Infranet  Agent  links 
to  third-party  TCG  Integrity  Measurement 
Collectors  using  its  own  JEDI  API.  Juniper 
also  provides  endpoint  security  assessment 
tools  —  a  feature  of  its  SSL  VPN  called  Host 
Checker  —  for  checking  endpoint  status, 
such  as  open  ports  or  running  processes. 

Because  the  user  is  assumed  by  Infranet’s 
architecture  to  already  have  connected  to 
the  network,  the  Infranet  Agent  doesn’t  par¬ 
ticipate  in  Layer  2  authentication  schemes 
such  as  802. IX.  Instead,  the  Infranet  Agents 
role  is  to  provide  user  authentication  to  the 
Policy  Enforcement  Pbint  deeper  in  the  net¬ 
work  and  the  endpoint  security  assessment 
information  back  to  the  Policy  Decision 
Fbint,  dubbed  Infranet  Controllers. 

Juniper’s  firewall  and  SSL  VPN  products 


—  called  Infranet  Enforcers  —  act  as  the 
Policy  Enforcement  Points  and  are  typically 
located  deep  within  the  network. 

The  Infranet  Agent  also  manages  encryp¬ 
tion  between  the  end  system  and  the  Infra- 
net  Enforcer  Policy  Enforcement  Point.  By 
applying  IPSec  encryption  between  the 
client  and  the  Infranet  Enforcer,  Juniper 
offers  strong  binding  between  the  end  sta¬ 
tion,  its  authentication  and  the  applied  pol¬ 
icy  This  security  only  starts  at  the  Policy  En¬ 
forcement  Point;  any  misbehavior  by  the 
client  before  it  reaches  the  Infranet  En¬ 
forcer  is  uncontrolled  in  the  Juniper  Infra- 
net  model. 

Juniper’s  Infranet  Controllers,  akin  to  the 
TCG’s  Policy  Decision  Points,  are  based 
closely  on  Juniper’s  SSL  VPN  product  line, 
as  both  use  the  same  policy  engine. 

Unlike  other  NAC  architectures,  Juniper’s 
Policy  Decision  Points  don’t  have  a  clear 
link  between  the  Integrity  Measurement 
Verifiers,  which  evaluate  endpoint  security 
information  from  the  Juniper  Host  Checker 
(acting  as  the  Integrity  Measurement 
Collector  in  the  TCG  scheme)  and  give  a 
policy  decision  back  to  the  Infranet  Con¬ 
troller.  Instead,  the  Infranet  architecture 
waves  away  the  question  of  how  Integrity 
Measurement  Collectors  can  pass  informa¬ 
tion  to  the  Integrity  Measurement  Verifiers 
within  the  Policy  Decision  Point  by  pointing 
off  to  the  JEDI  specification.  In  reality,  the 
JEDI  specifications  are  mute  on  how  this 
link  will  actually  work.  This  is  a  weak  point 
in  the  Infranet  architecture  because  man¬ 
agement  of  desktop  and  roaming  user  pol¬ 
icy  has  to  be  handled  once  in  whatever  en¬ 
terprise  console  is  used  to  control  the  third- 
party  security  tool  and  then  a  second  time 
within  the  Infranet  Controller  environment. 

Choosing  a  NAC  architecture  depends  on 
your  goals  and  your  integration  strategy  If 
you’re  an  all-Cisco  shop  with  modern  hard¬ 
ware,  you  can  hitch  your  horse  to  Cisco’s 
architecture,  which  is  as  complete  as  any¬ 
one’s.  For  those  interested  in  standards- 
based  solutions,  TCG’s  TNC  is  the  only  real 
option  despite  some  risk.  Microsoft’s 
approach  is  most  appropriate  in  smaller 
networks  where  you  want  to  control  the 
PCs  you  already  own  and  are  most  con¬ 
cerned  about  viruses  rather  than  authenti¬ 
cation  and  access  control. 

Snyder  is  a  senior  partner  at  Opus  One,  a 
consulting  firm,  in  Tucson,  Ariz.  He  can  be 
reached  at  Joel. Snyder@opus l.com. 


Lab  Alliance 


■  Snyder  also  is  a  member  of  the  Network 
World  Lab  Alliance,  a  cooperative  of  the  pre¬ 
mier  testers  in  the  network  industry,  each 
bringing  to  bear  years  of  practical  experience 
on  every  test.  For  more  Lab  Alliance  informa¬ 
tion,  including  what  it  takes  to  become  a  part¬ 
ner,  go  to  www.networkworld.com/alliance. 
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OBKWOBLD 

Technology  Tour 


New  solutions  and  best  practices  for 
the  always-connected  network 

-  Anytime,  anywhere  wireless  web  services 

-  Dynamic  wireless  personal  area  networks 

-  Voice  over  WiFi  with  the  convenience  of  WiFi 

-  The  sudden  capacity  of  untapped  3G  broadband 

Welcome  to  the  new  enterprise  network.  Where  WLANs 
are  core  architecture.  And  mobility  is  the  key  driver  of 
tomorrows  strategic  and  truly  agile  enterprise. 

Craig  Mathias  is  your  guide.  Achieving  agility,  security 
and  transparency  are  his  themes.  Also  on  board  is 
Network  World’s  Keith  Shaw,  who  will  moderate  an 
expert  end-user  panel.  Your  days  takeaways?  An  full 
understanding  of  the  WLAN  tools,  technologies  and  best 
practices  that  will  make  you  as  strategic  and  agile  as 
your  enterprise. 

Don’t  miss  this  opportunity.  Qualify  to  attend 
Wireless  LANs  &  Enterprise  Mobility:  Know 
No  Limits  free.  Advance  registration  is  required, so 
reserve  your  place  now. 


Who  should 
attend? 

>  CTOs,  CIOs,  CSOs 

>  VPs  of  IT  and  Networking 

>  Network  and  IT  Managers 

>  Telecom  Managers 


Event 

Host: 

Craig  Mathias, 
Principal, 
Farpoint  Group 


Event 

Moderator: 

Keith  Shaw, 

Senior  Editor, 

Product  Testing, 
Network  World 


% 


*^°Wi™*ndwirehss 

and  metro  ~eless  LAN 

«^aSWumas(er 


Platinum  Sponsors: 


F=LUKE 

networks. 


MGRU 


voirr.  s-rtU  vorrlc  tttutmi  ont. 


NETWORKS 


SIEMENS 


WIRELESS  LANS  &  ENTERPRISE  MOBILITY  I  QUALIFY  TO  ATTEND  FOR  FREE  I  REGISTER  AT 

www.networkworld.com/WMB6A  or  call  1-800-643-4668 
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.INFRASTRUCTURE  LOG 


WebSphere 


_DAY  8:  I  give  up.  Our  inf restructure  is  so  inflexible. 
Our  apps  and  processes  don’t  work  together.  We  can’t 
respond  quickly  to  change.  It’s  out  of  control. 

_Gil  had  an  epiphany.  Duct  tape.  A  few  dozen  rolls  later 
and  he’s  integrated  everything,  and  everyone,  by  hand. 

_DAY  10:  Duct  tape  can  fix  many  things.  Basketballs. 
Sofas.  Doorknobs.  But  not  widespread  app  and  process 
inflexibility. 

_DAY  13:  I’ve  found  something  better:  IBM  WebSphere 
middleware.  It’ll  make  our  infrastructure  more  flexible 
by  seamlessly  integrating  our  apps.  We  can  change 
processes  in  a  snap  and  use  what  we  already  have — 
even  apps  from  SAP  and  Oracle.  And  with  IBM’s  industry- 
specific  expertise,  we’re  on  our  way  to  enabling  a 
service-oriented  architecture . 

_Hmmmm .. .WebSphere.  More  powerful  than  duct  tape. 


Download  our  IBM  SOA  assessment  tool  at: 

IBM.COM/TAKEBACKCONTROL/SOA 
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How  to  keep  tabs  on  powerhouse  vendors 

Managing  your  most  important  IT  suppliers  requires  attention  and  dedication. 


BY  JIM  DUFFY 


ealing  with  your  network’s  one  or  two  predomi¬ 
nant  vendors  requires  a  relationship  deeper  than 
occasional  face  time  with  a  sales  rep.  The  rela¬ 
tionship’s  architecture,  service  levels  and  business 
objective  need  constant  monitoring  and  review 


Vendors  often  claim  that  they  partner 
with  their  IT  customers,  but  most  vendor- 
customer  partnerships  are  one-way:  The 
customer  pays  a  vendor  for  goods  and  ser¬ 
vices.  Once  opportunities  for  new  revenue 
wane,  so  does  the  partnership. 

Research  and  consulting  firm  Gartner  rec¬ 
ommends  companies  adopt  an  “ecosys¬ 
tem”  approach  to  their  relationships  with 
powerhouse  vendors.  This  ecosystem  is 
made  up  of  the  user  and  the  product,  ser- 


Vendor  checklist 


vice  or  technology  vendor  in  a  “mutually 
beneficial,  self-sustaining  and  symbiotic 
relationship.” 

“Organizations  need  to  do  an  evaluation 
and  understand  what  their  dependency  is 
on  a  large,  powerhouse  vendor,  and  how 
much  do  they  trust  that  powerhouse  vendor 
and  what  does  that  powerhouse  vendor 
mean  to  them,” says  Betsy  Burton,  vice  pres¬ 
ident  and  distinguished  analyst  at  Gartner. 
“Based  on  that  self-assessment,  organiza¬ 
tions  need  to  decide  what  sort  of  relation¬ 
ship  management  they’re  going  to  do.” 


Proactive  management  of  such  vendor 
relationships  is  key  to  ensuring  mutually 
beneficial  rights  and  responsibilities,  Bur¬ 
ton  says.  She  recommends  appointing  a 
full-time  IT  person  to  manage  the  relation¬ 
ship  and  track  service  levels  and  deliver¬ 
ables.  The  vendor  management  team 
should  include  people  from  other  parts  of 
the  company  to  provide  different  views  of 
the  customer  experience.  Users  also  need 
to  balance  a  vendor  relationship  with  the 


degree  of  lock-in  that  could  come  with 
the  vendor’s  product.  Vendors  are  always 
looking  to  foist  their  vision  or  architecture 
on  IT  organizations.  Those  charged  with 
managing  a  vendor  ecosystem  need  to 
understand  how  their  overall  corporate 
strategy  and  culture  relate  to  or  differ 
from  the  strategy  and  culture  of  a  vendor; 
evaluate  how  well  their  business  model 

—  strategy,  priorities  and  revenue  stream 

—  fits  with  a  vendor’s  business  model; 
and  consider  the  products, services,  archi¬ 
tecture,  configuration  and  licensing  terms 


and  conditions  a  vendor  is  offering. 

Gartner  suggests  conducting  vendor 
overviews  on  a  six-  or  12-month  cycle, 
depending  on  the  level  of  investment 
your  organization  is  making.  A  six-month 
cycle  is  appropriate  for  vendors  that  are 
providers  of  a  broad  base  of  IT  infrastruc¬ 
ture  or  services  —  usually  those  support¬ 
ing  business-critical  applications.  This 
overview  should  consider  product 
announcements,  strategies  and  state¬ 
ments  of  direction,  as  well  as  analyst 
assessments. 

This  need  for  oversight  might  be  the  rea¬ 
son  some  companies  outsource  the  man¬ 
agement  of  their  major  vendors  to  third- 
party  companies  such  as  CD\V  a  $5.7  bil¬ 
lion  reseller  of  computer  and  networking 
products.  CDW  also  provides  customized 
and  standardized  integration  and  con¬ 
tract  management  services  as  part  of  the 
product  procurement  contract. 

“Many  companies  like  to  have  a  company 
like  CDW  relieve  some  of  the  hassles  that 
come  up  from  time  to  time,”  says  Brian 
Schwartz,  a  CDW  technology  specialist. 
“There’s  always  that  one  throat  to  choke, 
where,  from  a  customer’s  point  of  view,  they 
are  so  busy  they  really  want  to  focus  their 
energies  on  serving  their  users.  The  last 
thing  they  want  is  to  have  to  [deal  with] 
pricing  issues,  return  issues,  etc.” 

Schwartz  says  one  hassle  network 
departments  deal  with  is  software  licens¬ 
ing.  Keeping  track  of  software  versions 
and  licensing  terms  can  be  so  confusing 
and  time-consuming  that  a  company  may 
purchase  more  software  than  it  needs  or 
the  wrong  versions  or  end  up  paying  too 
much. 

“There  was  a  customer  who  needed  to 
renew  some  Microsoft  licensing,  and  she 
thought  that  she  needed  to  pay  something 
like  $80,000,”  Schwartz  says.  “When  she 
came  to  us  and  we  looked  at  her  agree¬ 
ments,  she  didn’t  realize  she  had  some 
upgrade  credits.  The  total  renewal  price 
was  about  $80  instead  of  $80,000.” 

Coast  Capital  Savings,  the  second-largest 
credit  union  in  Canada,  channels  its  ven¬ 
dor  management  through  resellers.  Coast 
Capital’s  relationships  with  its  resellers  is 
like  the  relationships  enterprises  have 
dealing  directly  with  their  predominant 
vendors. 


“We  look  for  resellers  that  are  capable  of 
sustaining  a  long-term  relationship, 
because  in  the  end  we’ll  both  benefit 
from  that,”  says  Luis  Henriques,  senior  net¬ 
work  engineer  at  the  credit  union,  which 
is  based  in  Vancouver,  British  Columbia. 
“The  longer  they  stick  around,  the  better 
they  are  capable  of  understanding  who 
we  are,  how  we  operate,  what  our  infra¬ 
structure  looks  like  from  Layer  1  to  7,  what 
our  road  maps  are,  and  what  our  upcom¬ 
ing  needs  might  be.” 

Henriques  says  Coast  Capital  looks  for 
resellers  that  can  think  outside  the  box 
and  have  multi-vendor  alliances  and  in- 
house  creative  experts  to  help  the  credit 
union  come  up  with  cost-saving,  timely 
solutions.  Another  Coast  Capital  criterion 
is  that  resellers  have  a  geographic  scope 
and  business  and  human  philosophies 
that  align  with  its  own,  he  says. 

“We  look  for  resellers  that  are  small 
enough  to  care,  strong  enough  to  grow 
with  us,  yet  large  enough  to  offer  compet¬ 
itive  pricing  and  services,”  Henriques  says. 

That’s  not  to  say  Coast  Capital  leaves 
everything  up  to  its  resellers.  Henriques 
prefers  to  deal  directly  with  network  ven¬ 
dors  on  software  configuration  issues. 

“I  .  .  .  stay  away  from  value-added 
reseller  support  contracts  that  look 
cheaper  upfront,  but '[where]  often  the 
number  of  brains  available  to  work  on 
your  problem  is  limited,  their  certifica¬ 
tion  levels  [are]  lower, and  access  to  ven¬ 
dor  in-house  engineering  and  software- 
developer  experts  [is]  nonexistent,”  he 
says. “So  when  your  network  data  centers 
have  to  be  up  24/7/365,  buying  that  more 
expensive  contract  from  the  experts  is 
definitely  worth  it.”  ■ 
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2006  Enterprise  All-Star  Award 

Submit  your  entry  in  this  prestigious  award  pro¬ 
gram  before  it's  too  late.  Deadline  for  nominations 
is  May  10.  Go  online  for  more  information  and  a 
nomination  form. 
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Try  the  following  tips  for  interacting  with  your  primary  suppliers: 

•  Be  in  the  know.  Stay  informed  about  what  the  company  is  saying  at  public  forums  and  in  announcements 
and  financial  disclosures. 

•  Visit  the  vendor.  An  informal  visit  to  a  vendor’s  headquarters  lets  your  team  meet  technical  service,  customer 
service  and  investor  relations  groups. 

•  Participate  in  vendor  briefings.  If  you  are  making  a  significant  investment  in  a  vendor  you  may  gain 
strategic  insights. 

•  Become  a  member  of  the  vendor's  customer  advisory  council.  You  will  get  a  direct  voice  in  shaping  a  vendor's 
product  and  access  to  key  members  of  the  marketing  and  engineering  teams. 

SOURCE:  GARTNER 


fmaybe  it’s  time 

you  look  at 

AdaptiveKVM’ 

When  servers  are  down  or  inaccessible,  you  need 
fast  and  reliable  out-of-band  access  and  control. 

Cyclades  AdaptiveKVM™  (patent  pending)  is  the  industry’s  first 
integrated  solution  that  combines  KVM  over  IP  and  Microsoft® 
Remote  Desktop  Protocol  (RDP)  technology  in  a  single 
appliance.  By  using  KVM  over  IP  combined  with  RDP, 
AdaptiveKVM  provides  continuous  access  for  remote  server 
management. 

I  — — . . 

Next-Generation  KVM  Solution 


AlterPath™  KVM/netPlus 
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I  Download  a  FREE  White  Paper  on  AdaptiveKVM 

www.cyclades.com/akvm 
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www.cyclades.com/nw 

1.888.cyclades  «  sales@cyclades.com 


cyclades 
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iut-@f-Band  Access  to  Consoles  at  Remote  Locations 


»  Secure  Shell  (SSHv2)  Encryption 
*  Simultaneous  SSH  or  Telnet 

■  TACACS  &  RADIUS  Authentication 
a  Dial-Back  Security  on  Modem  Port 
®  Command  Logging  with  Audit  Trail 

■  SYSLOG  Reporting 

■  NTP  Server  Ready 

■  Any-to-Any  Port  Switching 

■  Non-Connect  Port  Buttering 

■  Port-Specific  Password  Protection 

■  Data  Rate  Conversion 

■  Rack  Mountable  -  Requires  1  Rack  Unit 

■  115/230  VAC  or  -48  VDC  Models 

The  SCM-16  Secure  Console  Management  Switch  provides  in-band  and 
out-of-band  access  to  RS232  console  ports  on  UNIX  servers,  routers  and  any  other 
network  elements  which  have  a  serial  console  or  craft  port.  System  administrators 
can  access  serial  maintenance  ports  over  the  network  via  SSH  connections  and  simple, 
menu-driven  commands  or  through  a  discrete  TCP  port  connection,  mapped  directly  to 
one  of  the  SCM-16  serial  outputs. 

-l  Visit  Website  for  Complete  NetReach  ™  Product  Line 

□  (800)  854-7226  •  www.wti.com 

I  I  I  1  f  n  5  Sterling  •  Irvine  •  California  92618-2517 

*~>  U  (949)  586-9959  •  Fax:  (949)  583-9514 


Web  Browser  Interface 


Cunsole  Poit  Mjnaqemenl  Swt(ch«i  Mtciotctll  Inleinat  F  xploioi 


SK.URF  CONSOLE  MANAGER 


TelCTr.abc  Inc  .  5  Sterhns.  Irvine.  Ca.  92618  --  httpv/www  wt  com 


Yes,  We  are  Customer  Friendly! 

✓  Two  Year  Warranty 

✓  We  Stock  for  Same  Day  Shipment 

✓  30  Day  Return  Policy 

✓  Call  or  Email  for  an  Online  Demo 
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What's  on  your 

Network? 

Find  out  with  NetSupport... 


Centrally  Discover,  Support  and 
Manage  your  Systems.  Anywhere. 


Do  you  know  where  your  oldest  computer  is?  Need  to  locate  and  upgrade  your 
Windows  98  systems?  Are  you  overpaying  on  unused  software  licenses?  Which 
employees  are  spending  the  most  time  surfing  the  web?  Find  out  fast  with 
NetSupport  DNA. 


Managing  your  company's  IT  assets  means  more  than  just  selection  and 
maintenance.  Reporting,  inventory,  deployment  and  forecasting  are  also  part  of  the 
job.  NetSupport  DNA  is  an  easy  to  use  IT  asset  management  solution  that  provides 
you  with  the  tools  you  need  to  get  to  know  your  network. 


Unlike  other  solutions,  NetSupport  DNA  does  not  require  certified  training  or  have  a 
complex  implementation  path.  It  offers  all  of  the  functionality  you'd  expect  from  an 
award  winning  asset  management  suite,  but  with  only  a  30  minute  implementation 
path. 


NetSupport  DNA  combines  powerful  hardware  and  software  inventory  with  software 
distribution,  application  and  internet  metering,  pc  remote  control,  enterprise 
reporting  and  a  web-based  help  desk  solution. 


NETSUPPORT 
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Ne^Supp^rt- 


to  make  things  complex 


than  it  is 

to  make  them 


simple. 


Introducing  CommandCenter®  NOC  and  CommandCenter  Secure  Gateway. 
Managing  IT  infrastructure  just  became  simple. 


Now  businesses  of  any  size  can  improve  service  levels,  spend  less  time  fighting  fires  and  focus  on 
activities  that  help  the  bottom  line.  Raritan's  new  CommandCenter  management  products  are  the 

SURaritan 

We  make  IT  simple.™ 


only  solutions  available  today  that  combine  the  power  of  systems, 
network  and  proactive  security  management  with  secure,  remote 
KVM  and  serial  console  access.  Learn  more  at  NowlTisSimple.com. 


N  YOUR  REACH 
YWHERE 


LOCAL  OR  REMOTE  SERVER 


NAGEMENT  SOLUTIONS 


UltraMatrix™ 

E-series 


■  PROFESSIONAL  MULTI-USER  KVM  SWITCH 
2  -  4  KVM  STATIONS  TO  1,000s  OF  COMPUTERS 


UltraMatrix™ 

Remote 


■  MATRIX  KVM  SWITCH  WITH 

INTEGRATED  REMOTE  ACCESS  OVER  IP 


KVM  SWITCH 


KVM  OVER  IP 


PC  or  multi-platform  (  PC/Unix,  Sun,  Apple,  others) 

On-screen  menu  informs  you  of  connection  status  between  units 

in  an  expanded  system 

Powerful,  expandable,  low  cost 

No  need  to  power  down  most  servers  to  install 

Security  features  prevent  unauthorized  access 

Free  lifetime  upgrade  of  firmware 

Video  resolution  up  to  1600  x  1280 

Available  in  several  models 

Easy  to  expand 


System-wide  connectivity  over  IP  worldwide  and  locally 
Connects  1,000  computers  to  up  to  256  user  stations 
Supports  PC,  Sun,  Apple,  USB,  UNIX,  serial  devices 
High  quality  video  up  to  1280  x  1024 
Secure  encrypted  operation 

View  real-time  video  from  4  computer  connections  with 
quad-screen  mode 


The  UltraMatrix  E-Series  represents  the  latest  in  KVM  matrix  switch  technology,  at  an 
affordable  price.  The  E-Series  allows  you  to  connect  up  to  256  user  stations  to  as  many  as 
1,000  computers.  The  UltraMatrix  E-Series  is  available  in  several  sizes:  2x4,  2x8,  2x16, 
4x4,  4x8,  4x16,  1x8,  and  1x16  in  either  PC  or  multi-  platform. 


The  UltraMatrix  Remote  represents  the  next  generation  in  KVM  switches  with  IP  access.  It 
provides  a  comprehensive  solution  for  remote  server  access  over  IP  and  local  as  well. 


■  KVM  RACK  DRAWERS  WITH  KVM  SWITCH  OPTION 


RackViews  offer  the  latest,  most  efficient  way  to  organize  and  streamline  your 
server  rooms  and  multiple  computers. 

The  RackView  is  a  rack  mountable  KVM  console  neatly  fitted  in  a  compact  pull-out 
drawer.  This  easy-glide  KVM  drawer  contains  a  high-resolution  TFT/LCD  monitor,  a 
tactile  keyboard,  and  a  high-resolution  touchpad  or  optical  mouse. 


XtendVue 

Vertical  Rack  mountable  LCD 
With  Built-in  KVM  Extender 


RackView 

Fold-Forward 


RackView 

Fold-Back 


RackView 
LCD  Monitor 


RackView 

Keyboard 


ROSE  US  281  933  7673 

ROSE  EUROPE  +44  (0)  1 264  850574 
ROSE  ASIA  +65  6324  2322 

ROSE  AUSTRALIA  +617  3388  1540 


800-333-9343 

WWW.ROSE.COM 


# 


ROSE 

ELECTRONICS 


How  Do  You  Distribute 
Power  in  Your  Data 
Center  Cabinet? 


With  Sentry! 

CDU  Product  Family:  Metered,  Smart  &  Switched 
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Server  Technology 


Solutions  for  the  Data  Center  Equipment  Cabinet 


The  Sentry  CDU  distributes  power  for  Blade 
servers  or  up  to  42  dual-power  1U  servers 
in  one  enclosure.  Single  or  3-phase  input 
with  110VAC,  208 VAC  or  mixed  110/208VAC 
single-phase  outlet  receptacles. 


Metered  CDU 

>  Local  input  Current  Monitoring 


Smart  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power  Temperatures 
and  Humidity 


Switched  CDU 

>  Local  input  current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power,  Temperatures 
and  Humidity 

>  Remote  Power  Control  of  Each  Outlet 
—  On  /Off  /Reboot 


Server  Technology,  Inc. 
1040  Sandhill  Drive 
Reno,  NV  89521 
USA 


toll  free +1.800.835.1515 
tel  +1.775.284.2000 
fax  +1.775.284.2065 

www.servertech.com 

sales@servertech.com 


Problems  overwhelming  your  current  sniffer? 
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Advance  to  the  next  level  with  Observer  1 1 .  Now  with  enterprise  strength  VoIP  analysis.  New  features  include  an  enhanced 
VoIP  Expert,  Quality  Scoring,  Call  Detail  Records,  MultiHop  Analysis,  and  64-bit  Windows  support.  It's  time  to  reset  your  analyzer. 


Wired  to  wireless .  LAN  to  WAN.  One  network  -  complete  control. 


INSTRUMENTS 


US  &  Canada  UK  &  Europe 

toll  free  800.526.5958  +44  (0)  1959  569880 

www.networkinstruments.com/analyze 
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Don’NetneMpoiuer 
issues  give  qou  a  headache 

Manage  your  system's  pouier  {torn 
anphere.  anfme  uii 


Nothing  gives  you  a  bigger  headache  than  infrastructure 
hardware  and  software  problems  at  the  wrong  time. 
Often  these  issues  cost  you  valuable  system  downtime 
and  require  a  site  visit  to  reboot  hardware.  Let 
SMARTstart  remote  power  distribution  systems  show 
you  the  efficient  way  to  manage  your  system's  power. 

•  Trusted  by  major  OEM's 

•  Reboot  from  anywhere,  anytime  via  web  or 
TCP/IP 

•  Remote  power  distribution  and  circuit  protection 
for  AC  or  -48  VDC  or  +24  VDC  systems 

Auto  reset  circuit  breaker  feature  addresses 
no  fault  breaker  trips  for  DC  systems 

AC  PDU  features  auto  power  on  sequence  in  the 
event  of  power  outages.  This  prevents  potential 
damage  as  a  result  of  inrush  currents  when 
power  is  suddenly  restored 


SPECTRUM  CONTROL  INC. 


Power  Management  Systems  Group 
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AB 
FREE. 


DOWNTIME-FREE. 
WORRY-FREE. 
HASSLE-FREE.  . 
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If  the  thought  of  finding  a  cobling  solution  is  ^  '^10*  \^\ 

making  you  break  out  in  a  cold  sweat, get 
MovinCool  and  relax.  As  the  industry 

since  1982,  MovinCool  offers  mdre  solutl&TyP^^B^^Bjj^^  f0 

for  your  cooling  needs,  along  \A$h  unrivaled’§^^5^^^^^Hp^,' 

capacity  and  non-stop  reliability,  if  floor  space  A 

%  v  Jtk 

in  your  server  room  is  an  issue,  our  ndw^  >».-a»S3sB»«gg 

ceiling-mount  CM  1 2  provides  optimum  'r 
cooling  power  while  taking  up  no  floor  space,  -rlw 
With  all  this  selection,  is  there  a  MovinCool 

......  ,,  ■: 

that’s  right  for  you?  Absolutely! 

,3.  %  .  . 


that’s  right  for  you?  Absolutely! 


The  Office  Pro  series 
provides  maximum 

cooling  for  +  v  / 


COOL 


THE  #1  INNOVATIVE- SPOT  COOLING  SOLUTION 

jh 

Visit  movincool.com  or  call  800-264-9573  for  more  information  or  to  find  a  dealer  near  you. 

?  V  .  •?  ’  r  ^  .  .  • 

2006  DENSO  Sales  California,  Inc.  MovinCool,  SpotCool  and  Office  Pro  are  registered  trademarks  of  DENSO  Corporation. 
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TAP  Into  Your  Network 


Only  a  TAP  can  provide  a  complete  copy  of  data  from  full-duplex  links  at  line  rate  for 
monitoring  devices.  Without  a  TAP,  a  monitoring  device  may  be  fed  incomplete  and 
misleading  information-creating  false  positives  and  overlooking  network  problems 
that  actually  do  exist.  Visit  www.networkTAPs.com/visibllity  today. 


Copper nTAPs 

10/100 . $395 

10/100/1000 . $9#.....  $795 


Copper  to  Optical 
Conversion  nTAPs 

SX  or  LX . 


$1,495 


r 
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Optical  nTAPs 

One-Channel . 5395"  ....$295 

Two-Channel . ,#9tf....$575 

Three-Channel  ...,$Vf8^....$845 


To  learn  more  about  how  nTAPs  can  boost  your  network  visibility,  which  configuration  option 
is  best  for  you,  and  to  check  out  new  pricing  go  to  www.networkTAPs.com/visibility 
or  call  866-GET-nTAP  today.  Free  overnight  delivery* 


m  cc 


*Free  overnight  delivery  on  all  U.S.  orders  over  $295  confirmed  before  12  p.m.  Central  Time. 
nTAP  and  all  associated  logos  are  trademarks  or  registered  trademarks  of  Network  Instruments,  LLC. 
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Dealers  Wanted 


foe  Sound 
Monitoring 


Power 

Control 

Interface 


Port 


Modem 
fir  Pager  Port 


Sensor  Inputs 

(Temperature.  HumkSty. 
Water.  Motion,  Power, 
Smoke/Fire) 

Expandable 


Monitor  the  REST  of  your  Computer  Room! 


Water  on  the  Floor 

Temperature 

Power  Problems 

Security 

Smoke  and  Fire 

Humidity 

Video 

And  much  more 
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Sends  Monitors  Embedded 

SNMP  64  Web 

Messages  IP  addresses  Server 


Sends 

E-MaH 


Internal 


SENSAPHONE 

Tel:  877-373-2700 

901  Tryens  Road 

www.ims-4000.com 

Aston,  PA  19014 

Production  Tracking  Over  Ethernet 

Eliminate  your  shop-floor 
PCs  with ... 

Ethernet  Terminals  from 
ComputerWise  connected  to 
your  in-house  LAN. 

Capture  production  data 
directly  into  files  on  your 
server. 

Features  C  Benefits 

•  Interactive  Telnet  Client 

•  TCP/IP  over  10/IOOBaseT  Ethernet 

,  •  Built-in  Barcode  Badge  Reader 

v  -  •  Optional  Mag-Stripe  &  RFID  Badge  Reader 

•  Auxiliary  RS-232  Serial  port 

•  Customizable  Data  Collection 

l'  ■ 

Vxv  Program  Included 

Larger  keyboard  and 
■iE'Il.dHplay  *«*•*  available 


or  visit  www.computerwlse.Goni 
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MiniGoose 

Climate  Monitor 


Camera 

$199 


MiniGoose  $199 


WeatherGoose  $399 
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Instantly  Search 

Terabytesoftext 


'dtSearcri 


‘Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a  single  index 
and  returns  results  in  less  than  a  second”  —  InfoWorld 

♦  over  two  dozen  indexed,  unindexed,  fielded  data  and  full-text  search  options 

♦  highlights  hits  in  HTML,  XML  and  PDF,  while  displaying  links,  formatting  andfTiT.hTyi 
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Dos  and  don’ts  of  Web  design 

A  sampling  of  Google's  guidelines: 

•  Don't  participate  in  link  schemes  designed  to  increase  your  site's  ranking. 

•  Avoid  tricks  intended  to  improve  search  engine  rankings.  Before  implementing  a 
questionable  design  technique  ask  yourself  if  it  helps  users  and  if  you’d  use  it  if  search 
engines  didn't  exist. 

•  Don't  present  content  to  search  engines  that's  different  from  what  you  display  to  users. 

•  Avoid  hidden  text  or  links. 

•  Don't  load  pages  with  irrelevant  words. 

•  Don't  create  multiple  pages  with  the  same  content. 

•  Don't  assume  that  because  a  specific  deceptive  technique  isn't  described,  Google 

approves  of  it.  source:  google 


Google 

continued  from  page  1 

Webmasters  in  some  industries 
say  they’ve  been  complaining  to 
Google  for  years  about  certain 
types  of  abuse  but  they’ve  gotten 
little  support.Take  David  Beart, 
who  runs  The  Pet  Professor  Web 
site.  A  few  years  ago  he  noticed 
that  a  couple  of  sites  —  mainly 
Next  Day  Rets  and  Terrific- 
Ftets.com  —  suddenly  showed  up 
at  the  top  of  search  engine  rank¬ 
ings  for  certain  terms  related  to 
pet  supplies. 

Both  those  sites  offer  graphics 
for  other  sites  to  use,  and  these 
graphics  are  embedded  with 
links  back  to  them.  For  example, 
TerrificFtets.com  runs  a  program 
that  gives  an  award  to  other  sites 
for  being  well-designed.  When 
Web  sites  apply  to  win  the  award, 
TerrificFtets.com  gives  them  a 
graphic  to  put  on  their  site  that 
says  they  won. The  graphic  is 
embedded  with  six  links  back  to 
TerrificFtets.com. 

Typically  when  Web  sites 
exchange  links,  banners  or  other 
graphics,  the  graphics  include  just 
one  link  back.  By  disseminating 
graphics  with  many  links,  Next 
Day  Ftets  and  TerrificFtets.com  arti¬ 
ficially  boost  their  rankings  on 
search  engines,  which  use 
inbound  links  as  one  factor  to 
determine  rankings,  Beart  says. 

Beart  also  says  many  people 
who  operate  small  pet  Web  sites 
aren’t  necessarily  sophisticated  in 
design, so  they  may  not  notice 
the  multiple  links  or  fully  under¬ 
stand  the  effect  the  links  have  on 
TerrificFtets.com’s  ranking  or 
potentially  on  their  own. “Most  of 


■  Network  World  118  Turnpike  Road. 
Southborough,  MA  01772-9108,  (508)  460-3333. 

Periodicals  postage  paid  at  Southborough,  Mass., 
and  additional  mailing  offices.  Posted  under 
Canadian  International  Publication  agreement 
#40063800,  Network  World  (ISSN  0887-7661)  is 
published  weekly,  except  for  a  single  combined 
issue  for  the  last  week  in  December  and  the  first 
week  m  January  by  Network  World.  Inc.,  118 
Turnpike  Road.  Southborough.  MA  01772-9108. 

Network  World  is  distributed  free  of  charge  in 
the  U.S.  to  qualified  management  or  professionals. 

To  apply  for  a  free  subscription,  go  to  www.sub- 
scribenw.com  or  write  Network  World  at  the 
address  below  No  subscriptions  accepted  with¬ 
out  complete  identification  of  subscriber's  name, 
job  function,  company  or  organization.  Based  on 
the  information  supplied,  the  publisher  reserves 
the  right  to  reject  nonqualified  requests. 
Subscriptions:  1-508-490-6444. 

Nonqualified  subscribers:  $5.00  a  copy;  U.S.  - 
$129  a  year:  Canada  -  $160.50  (including  7%  GST, 
GST#126659952);  Central  4  South  America  • 
$150  a  year  (surface  mail);  all  other  countries  • 
$300  a  year  (airmail  service).  Four  weeks  notice 
is  required  for  change  of  address.  Allow  six 
weeks  for  new  subscription  service  to  begin. 
Please  include  mailing  label  from  front  cover  of 
the  publication. 


them  may  know  a  lot  about 
breeding  dogs  and  cats  but  they 
put  up  their  sites  using  Frontpage, 
or  their  son  or  daughter  puts  it 
up  for  them,”  he  says. 

But  the  owner  of  TerrificPets. 
com  says  that  by  including  the 
multiple  links,  he’s  offering  a  ser¬ 
vice  by  directing  visitors  to  the 
award  winners  back  to  relevant 
pages  on  his  own  site.  When  a 
Webmaster  applies  for  and  wins 
an  award,  Jason  Futch,CEO  of 
JCom  Designs,  sends  along  the 
F1TML  for  the  award  graphic,  in 
which  the  Webmaster  can  plainly 
see  the  links  back  toTerrificFtets 
.com,  he  says.  JCom  created  and 
maintains  TerrificFtets.com. 

Words  like  “horses”  within  the 
award  graphic  don’t  look  like 
hyperlinks,  but  if  a  user  clicks  on 
one,  it  opens  Terrific  Horses,  a 
page  about  horses  within 
TerrificFtets.com. 

Futch  figures  that  the  number 
of  incoming  links  a  site  has  is 
just  one  factor  of  possibly  hun¬ 
dreds  that  search  engines  use  to 
create  their  rankings.“The  rea¬ 
son  we  rank  well  is  because  we 
have  thousands  of  pages  of  con¬ 
tent,”  he  says.  His  site  includes 
searchable  discussion  forums, 
and  the  information  found  there 
naturally  drives  traffic  to  the  site, 
he  says. 

As  an  indication  of  just  how 
contentious  this  issue  is  to  the 
sites  involved,  Next  Day  Ftets 
threatened  to  sue  Beart  for  com¬ 
ments  he  wrote  about  the  link- 
back  techniques  on  a  blog.  In  a 
separate  episode,  Futch  threat¬ 
ened  to  sue  Next  Day  Ftets  in 
2004  because  he  says  it  was  steal¬ 
ing  content  from  his  site  and  re- 
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posting  it.  Next  Day  Ftets  could 
not  be  reached  for  comment  on 
this  story 

Web  design  experts  weren’t 
sure  if  including  the  links  in  Web 
awards  or  other  traded  graphics 
was  unfair  or  against  policies  set 
by  search  engines. 

“I  wouldn’t  think  it  breaks 
[Google’s  policies]  explicitly  but 
it’s  against  the  spirit  of  what 
they’re  attempting  to  achieve,” 
says  Rebecca  Jennings,  a  senior 
analyst  at  Forrester  Research. 

Rather  than  try  to  fight  these 
borderline  practices,  Jennings 
and  Chris  Winfield,  president 
and  co-founder  of  Web  site 
design  company  10e20,say  Web 
designers  might  do  better  by 
proactively  protecting  them¬ 
selves  and  improving  their  sites 
to  naturally  increase  their  suc¬ 
cess. 

Winfield’s  best  advice  is  to  be 
careful  about  putting  anything 
from  a  little-known  source  on 
their  sites. 

Webmasters  also  can  better 
design  their  sites  and  offer  useful 
content  to  help  them  attract  visi¬ 
tors  and  get  a  higher  ranking  in 
search  engines,  Jennings  says. 

Beyond  that,  Jennings  and 
Winfield  say  it’s  hard  to  find 
anyone  to  blame  for  allowing 
techniques  that  some  people 
find  unfair.“It’s  easy  to  blame 


Google  and  people  love  doing 
it,  but  I  don’t  think  that’s  fair,” 
Winfield  says. 

Beart  disagrees.  He  says  Google 
should  try  to  stop  Next  Day  Ftets 
and  TerrificFtets.com  from  contin¬ 
uing  their  inbound  link  cam¬ 
paigns.  He  has  sent  several  letters 
to  Google  complaining  about  the 
sites  but  has  received  only  form 
letters  in  reply. 

Google  says  it  has  an  initiative 
to  combat  the  underhanded 
techniques  used  by  Web  design¬ 
ers  to  boost  their  search  rank¬ 
ings,  but  engineers  there  say  the 
effort  is  an  uphill  battle. 

“It’s  difficult,” says  Aaron 
D’Souza,part  of  the  engineering 
group  leading  this  effort  at 
Google.“It’s  a  bit  of  a  game.  If  we 
shut  down  one  avenue,  there  are 


a  bunch  of  very  smart  people  out 
there  who  will  find  another  way!’ 

The  group’s  efforts  focus  on  cre¬ 
ating  tools  within  Google  to 
detect  the  techniques  Web 
designers  use  to  illegitimately 
boost  their  sites’  rankings,  he  says. 

But  the  sheer  number  of  sites 
on  the  Web  means  that  it  would 
be  nearly  impossible  for  Google 
to  take  action  every  time  it 
receives  a  complaint,  Jennings 
says.The  tricky  practices  aren’t 
breaking  any  laws,  she  notes. 
While  that’s  little  comfort  to 
people  who  feel  they’ve  been 
scammed,it  means  that  techni¬ 
cally  no  one  is  responsible  for 
chasing  the  offenders. 

Shelley  Solheim  of  IDG  News 
Service  contributed  to  this  story. 


DoD  readies  wireless  mandate 


BY  JOHN  COX 

The  U.S.  Department  of  Defense  is  putting  the  final 
touches  on  a  policy  memo  that  will  mandate  use  of 
the  IEEE  802.1  li  security  standard  for  unclassified 
wireless  networks. 

The  mandate  could  spark  a  proliferation  of  wireless 
LAN  (WLAN)  deployments  throughout  the  federal 
marketplace,  as  civilian  agencies  take  their  cue  from 
the  Defense  Department. And  it  will  be  a  key  element 
in  the  department’s  Global  Information  Grid,  an  un¬ 
folding  set  of  inter-related,  IP-based  networks. 

The  new  policy  should  encourage  wireless  ven¬ 
dors  to  incorporate  802. Hi  into  more  products, 
which  still  have  to  be  certified  as  meeting  the 
Federal  Information  Processing  Standards  (FIPS) 
140-2  specification. 

“We  already  have  two  vendors  that  have  complet¬ 
ed  FIPS  140-2  that  are  also  WPA2  certified”  by  the 
Wi-Fi  Alliance,  says  Stan  Burlingame,  commercial 
wireless  program  analyst  with  the  Communications 
and  Programs  Pblicy  Directorate  at  the  Defense 
Department,  who’s  overseeing  the  policy  draft. 
“There  are  also  two  additional  vendors  going 
through  validation  through  [the  National  Institute 
of  Standards  and  Technology].  We  expect  four  ven¬ 
dors  to  complete  FIPS  1402  and  Wi-Fi  certification 
in  the  next  few  months." 


“The  government  [now]  believes  that  Hi  is  good 
enough  for  federal  adoption,” says  Merwyn  Andrade, 
CTO  for  Aruba  Wireless  Networks.“This  [policy]  will 
result  in  huge  cost  savings  for  wireless  services  and 
harmonize  standard  security  across  all  WLAN 
deployments.” 

Aruba  plans  to  announce  this  week  that  the  802. 1 1  i 
implementation  in  two  of  its  WLAN  controllers  has 
been  granted  FIPS  140-2  certification. 

The  new  policy  memo  is  due  to  be  completed 
within  the  next  few  weeks,  Burlingame  says. 

The  security  document  will  require  unclassified 
Defense  Department  WLANs  to  use  products  that  im¬ 
plement  the  encryption  and  authentication  mecha¬ 
nisms  in  the  802.1  li  standard.The  Wi-Fi  Alliance  cer¬ 
tifies  802.1  li  products  under  its  Wi-Fi  Protected  Ac¬ 
cess  2  Enterprise,  and  Burlingame  says  the  new  poli¬ 
cy  will  call  for  WPA2  certification. 

By  mandating  a  commercial  security  standard,  the 
Defense  Department  hopes  to  ensure  that  affordable 
WLAN  equipment  is  widely  available  and  interoper¬ 
able  in  enterprise-class  wireless  networks,  Burlin¬ 
game  says.  An  802. Hi  network  will  require  code  on 
client  devices,  the  access  points  they  connect  to,  pos¬ 
sibly  a  WLAN  switch,  and  an  authentication  server, 
such  as  RADIUS.  Such  an  end-to-end  solution  does¬ 
n’t  exist  in  the  federal  market  today* 
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Information  Management 


.INFRASTRUCTURE  LOG 

.DAY  35:  Whoa!  Came  in  today  and  found  a  black  hole. 
Information  goes  in  but  doesn’t  come  out.  This  is  bad. 

.DAY  36:  The  black  hole  just  sucked  in  three  interns. 

HR  is  not  pleased. 

.DAY  38:  I’ve  taken  back  control  with  IBM  Information 
Management  middleware.  It’s  built  on  open  standards. 
Totally  scalable.  Seamlessly  unites  all  our  critical 
information,  whatever  its  source.  Now  our  info  has  real 
business  value,  and  we  can  use  it  in  innovative  ways 
to  help  spur  growth. 

_We  got  everything  back  from  the  black  hole.  Except 
the  interns. 


See  innovative  IBM  Info  Management  solutions  in  action: 

IBM.COM/TAKEBACKCONTROL/INFOMGMT 
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BACKSPIN 


Mark  Gibbs 


Getting  the  upper  hand  on  your  e-mail 


l  here  was  an  interest¬ 
ing  discussion  on  one 
of  my  favorite  mail 
lists  about  how  people 
organize  their  email.  What 
kicked  it  off  was  an  article  on  “CNN  Money”  titled  “Secrets 
of  greatness:  How  1  work”  (www.nwdocfinder.com/2837). 

The  somewhat  over-exposed  Marissa  Mayer,  Google’s 
vice  president  of  search  products  and  user  experience, 
says  she  gets  700  to  800  messages  per  day  (presumably 
after  de-spamming), and  she  says  she  uses  the  weekends 
to  catch  up: “I’ll  just  sit  down  and  do  e-mail  for  10  to 
14  hours  straight.”  Lucky  gal. 

Also  mentioned  in  the  article  is  Amy  Schulman,a  part¬ 
ner  at  DLA  Piper  Rudnick  Gray  Cary  who  claims  a  measly 
600  messages  per  day  Her  strategy  is  to  divide  them  into 
four  categories  and  then  deal  with  them  immediately: 
“First  are  e-mails  that  I  forward  to  someone  else.  Next  are 
messages  where  somebody’s  giving  me  information  that  I 
need  to  cascade  to  somebody  else  with  instructions.Third 
are  the  ones  that  1  can  read  later  on  an  airplane.  Fourth 
are  those  that  require  me  to  respond  immediately’ 

I  checked  out  my  own  email  load.  I  used  to  run  my  own 
mail  server, and  in  those  days  it  was  handling  about  2,500 
messages  per  day  but  most  were  spam.  I  assume  the  spam 
is  still  at  a  similar  level  but  now  I  use  Everyone.net  to  host 


my  email  services  so  1  only  see  around  200  to  300  mes¬ 
sages  per  day  (a  total  lightweight,  I  know,  but  then,  I’m  not 
a  highly  paid  corporate  type  with  ulcers). 

Of  my  200-plus  messages  per  day  about  25%  are  spam 
that  squeaked  past  the  filters,  so  1  have  around  200  real 
messages  to  deal  with. 

I  use  Outlook,  and  as  I  have  a  lot  of  e-mail  aliases  I  have 
a  ton  of  rules  that  do  things  such  as  route  messages  sent 
to  backspin@gibbs.com,  gearhead@gibbs.com  and 
webapps@gibbs.com  into  my  Feedback  folder. 

Everything  personal  stays  in  my  in-box,  while  news@ 
gibbs.com  goes  into  my  News  folder  and  pr@gibbs.com 
goes  into  my  Press  folder.  1  also  have  a  Hell  folder  where  I 
route  messages  from  the  likes  of  Russian  pizza  parlors 
and  The  University  of  Phoenix. 

Messages  from  lists  get  filed  into  separate  folders  and 
finally,  personal  messages  from  my  consulting  clients 
get  routed  to  individual  folders  and  notification  pop- 
ups  are  created. 

My  messaging  management  strategy  is  simple:  I  use 
Outlook’s  Search  Folder  feature  to  create  a  virtual  folder 
that  lists  all  unread  messages  in  my  in-box  and  Feedback, 
News  and  Press  folders,  grouped  by  their  folder  names. 
This  means  that  once  I  have  read  the  message  it  will  dis¬ 
appear  from  the  unread  view. 

Messages  listed  in  my  in-box  under  the  Search  folder  get 


read  immediately;  if  they  need  future  attention,  I  tag  them 
using  Outlook’s  flags.  Feedback  gets  read  several  times 
each  day  while  News  and  Press  get  read  first  thing  in  the 
day  Messages  that  need  action  items  are  tagged  red,  fol¬ 
low-up  messages  that  can  be  deferred  are  green,  informa¬ 
tion  messages  are  blue;  another  Search  folder  for  tagged 
messages  gets  reviewed  every  couple  of  days. 

I  tried  to  use  Outlook’s  Junk  Mail  facility  but  it  is  useless. 
Since  then  I’ve  been  using  the  AntiSpam  feature  in  Norton 
Internet  Security  (www.nwdocfinder.com/2838),  but  it 
isn’t  very  smart  so  I’m  going  to  go  back  to  using  Openfield 
Software’s  Ella  (www.openfieldsoftware.com). 

I  use  Google’s  Desktop  (www.nwdocfinder.com/2839), 
but  it  doesn’t  help  me  find  the  messages  I  need  to  track 
down.  Desktops  biggest  problem  is  having  messages 
indexed  that  it  can’t  find  because  it  no  longer  knows 
where  they  are!  I  think  I  might  go  back  to  Nelson  Email 
Organizer  (www.caelo.com). 

So,  how  do  you  handle  your  e-mail?  Do  you  use  Out¬ 
look,  are  you  hooked  on  Eudora,or  is  Pine  the  only  way 
for  you?  Does  your  CrackBerry  never  leave  your  hand? 
How  do  you  file  messages?  What  are  you  doing  about 
spam?  How  complex  are  your  mail  handling  rules? 

Log  on  to  Gibbsblog  and  let  me  know  or,  if  you  must, 
send  me  a  message  at  backspin@gibbs.com. 


ETBUZZ 


News,  insights  and  oddities 


So  wrong  about  so  many  things 


Paul  McNamara 


Let's  give  the  readers  a  chance  to  sound  off  this  week. 
No  recent  column  produced  more  complaints  than  a 
Feb.  20  piece  expressing  my  deep  reservations  about 
Wikipedia.  In  fact,  one  reader —  who  needs  to  get  back  on  his  meds  —  suggested  that 
I  be  horsewhipped,  then  sentenced  to  work  as  a  Wal-Mart  greeter.  Other  replies  were 
more  engaging,  such  as  this  one  from  Andrew  Embury: 

“While  Paul  McNamara  raises  some  serious  points  about  the  accuracy  of  content 
contained  in  the  Wikipedia  project,  his  example  illustration  of  the  problem  is  actually 
one  of  Wikipedia’s  main  benefits.  While  he  found  some  information  on  the  small  news¬ 
paper  in  Framingham,  Mass.,  that  was  incorrect,  he  was  able  to  fix  the  incorrect  infor¬ 
mation  and  thus  improve  the  resource  for  everyone  in  a  matter  of  minutes.  Had  this 
been  a  traditional  media  source,  he  would  have  had  little  other  [option]  than  to  contact 
the  author  and  hope  for  a  response.” 

Of  course,  I  also  could  have  exacted  a  bit  of  revenge  against  those  at  that  newspaper 
who  years  ago  informed  me  my  services  would  no  longer  be  needed.  Sure,  some  wiki 
do-gooder  would  have  erased  anything  libelous  . . .  probably  . . .  eventually. 

"Your  column  on  Wikipedia  struck  a  responsive  chord,”  writes  Bob  Spooner.  “The 
idea  behind  the  implementation  would  be  great  if  it  weren't  for  human  nature.This  is 
not  to  say  that  other  common  sources  of  information  are  significantly 
better.  For  example,  virtually  all  the  newspaper  articles  1  have  read 
which  have  been  about  subjects  with  which  I  am  intimately  familiar 
have  been  riddled  with  errors.  If  you  want  good  information,  you  have 
to  do  your  own  research  by  going  to  primary  sources.” 

Hmmm,  let’s  not  give  up  on  secondary  sources  altogether  now. 

My  going  to  bat  for  AOL  in  its  dust-up  with  those  who  consider  its 
plans  for  a  premium  e-mail  delivery  service  to  be  tantamount  to  a  tax 
on  e-mail  did  not  go  over  well  with  a  number  of  readers. 

‘I  am  the  Webmaster  and  e-mail  admin  fora  local  children’s  theater, 


RECENTLY  IN  BUZZBLOG 

McNamara’s  online  archive: 

www.nwdocfinder.com/1032 

■  Free  advice  for  eFIarmony. 

■  Carr  vs.  Scoble  on  blogging. 

■  Score  one  for  the  Weather- 
Bug  CTO. 


and  most  of  our  communication  regarding  rehearsals  and  workshops  is  done  via  e-mail 
lists  which  are  inherently  opt-in,  and  yet  we  find  a  large  percentage  of  our  mail  to  AOL 
is  not  delivered  or  is  automatically  routed  to  spam  folders,"  writes  Norton  Allen.  "I 
don't  believe  our  mail  bears  any  resemblance  to  most  spam,  so  I  naturally  assume 
AOL  is  disinclined  to  guarantee  delivery  of  our  mail  to  encourage  Cis  to  sign  up  for 
fee-based  delivery.  Yes,  they've  changed  their  tune,  and  we  are  a  501(c)(3),  so  we  can 
probably  apply  for  the  service  at  no  charge,  but  why  should  we  be  forced  to  jump 
through  hoops  to  have  mail  delivered  to  AOL  customers  who  want  to  receive  it?" 

A  column  about  InBoxer  and  its  contest  that  centered  around  an  online  collection  of  a 
half-million  e-mail  messages  from  176  Enron  employees  drew  this  reply  from  one 
curiosity  seeker: 

“It's  important  that  we  educate  users  as  to  why  they  should  be  very  careful  about  what 
they  send  via  e-mail,”  writes  Bill  Elberson.  "Within  10  minutes  of  looking  through  the 

Enron  e-mails  I  was  able  to  find  a  full  name,  Social  Security  number  and  employee  ID _ 

It's  interesting  that  InBoxer  claims  that  their  software  will  help  maintain  customer  data 
privacy  while  at  the  same  time  placing  personal  data  on  the  'Net  for  all  to  see." 

Well,  InBoxer  didn’t  actually  put  the  info  out  there  —  Enron  can  thank  the  gov¬ 
ernment  for  that  —  but  InBoxer  hasn’t  been  shy  about  helping  people  pick  through 
the  pile. 

Finally,  a  column  about  the  extension  of  Stamps.com’s  PhotoStamps 
program  to  include  corporate  logos  and  other  commercial  images  on 
postage  drew  this  yawn  from  Phil  Daley: 

“I  have  just  one  question:  Does  anyone  look  at  the  stamps  on 
received  mail?  I  never  do.  I  don’t  even  care  what  stamps  I  put  on  the 
mail  I  send.  Does  anyone?  . .  .What’s  the  point?" 

He’s  clearly  not  the  target  market. 


Send  more.  The  address  is  buzz@nww.com. 


There’s  the  obvious  choice 
for  a  backup  solution. 


hoice 


And  then  there’s  the  smart  choice: 
NetApp  disk-to-disk  backup  solutions. 


For  disk-to-disk  backup,  NetApp  offers  the  most  comprehensive  and  cost-effective  solutions 

in  the  market.  We  deliver  a  complete  portfolio  of  disk-to-disk  backup  solutions  that  reduce  backup 
windows,  accelerate  restores,  and  automate  routine  tasks  for  storage  and  IT  administrators.  Over  1 ,000 
enterprise  customers  such  as  LandAmerica,  Mazda  North  American  Operations,  and  Ticketmaster  have 
already  reaped  the  benefits  of  our  backup  solutions.  With  tightly  integrated  solutions  with  top  backup 
applications  such  as  VERITAS'15  NetBackup,M  (now  from  Symantec),  NetApp  is  the  smart  choice  for 
any  environment. 

Visit  www.netapp.com/go/disktodisk  for  more  information. 
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Trend  Micro  and  Cisco  Systems* —  working  together. 

To  defend  against  today's  aggressive  threats,  networking  and  security 
must  be  tightly  intertwined.  That's  why  Cisco  Systems  collaborates  with 
Trend  Micro  to  deliver  24  x  7  real-time  threat  intelligence  and  outbreak 
prevention  services  in  solutions  like  Network  Admission  Control, 

Incident  Control  System,  Adaptive  Security  Appliances,  and  more. 

Trend  Micro.  Integrated  intelligence.  Increased  security. 


www.trendmicro.com/cisco 
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